To explain this one, nix will set up a sandbox using its usual sandboxing features, and then execute the commands in there. It’s just a normal nix package build, except that the build instructions are a little unusual.
copyToRoot then just takes this package and copies it verbatim into the container.
On systems with cgroups this will actually do exactly what @j-k suggests, it creates an unprivileged container. But it has the flexibility to fall back to just a tmpdir because it’s the basic nix functionality.
Which in turn is a wrapper around the derivation built-in
@mdr if you want to understand what these derivation functions actually do under the hood, the nix pills, and particularly chapter 6, is where that’s best explained. They’re a bit advanced though, you may want to at least read the nix language primer first, and should probably get comfortable with building software using stdenv.mkDerivation as well.
After that it should become pretty apparent what you’re doing here, and where the differences are. It’s probably hard to understand from one-off comments here, as much as we try.
