there is no way to give access to run an external binary from a sandboxed app? (unless it happens to be in one of the system dirs that have an exception).
There are a number of ways to run an external binary from a sandboxed app. You are just trying one, particularly difficult way. Due to the nature of this particular tool, running it from the sandbox may be challenging.
Is there a path that a binary could be downloaded that can then be executed? It would seem that this is not possible, otherwise I could just copy the binary from /usr/local/bin there. That would mean that any GPL tool is completely off limits for a sandboxed app (unless the app itself is GPL), which is unfortunate.
To clarify a couple of things...
First of all, the GPL limitation is for the Mac App Store. You can sandbox your app and distribute it directly. Apple would encourage that. And you could give yourself any kind of temporary exception you want (within reason). The GPL is a legal restriction, not a technical one.
Assuming you are talking about the Mac App Store here, Apple explicitly allows plug-ins in the Mac App Store, "Apps distributed via the Mac App Store may host plug-ins or extensions that are enabled with mechanisms other than the App Store."
You would still have technical restrictions due to the sandbox. But those restrictions only app to processes that your sandboxed app launches via traditional fork (or fork-like) operations. What I'm saying is that you could wrap FFmpeg in a stand alone app that listens for input via Bonjour or some other IPC. Then, your sandboxed app could launch that FFmpeg wrapper (via NSWorkspace) and pass any work to be done via your IPC channel. You might be able to do this all in the URL, perhaps via a Universal Link.
Your wrapper would have to be GPL to comply with FFmpeg's license. Or your could develop a more general wrapper that wrap any open-source tool. Then you wouldn't need the GPL. At this point, your only remaining hurdle would be to deliver useful functionality in the Mac App Store without the plugin. Apple requires Mac App Store apps to do something functional and useful without any great area "extras".
From an implementation standpoint, all of this is much easier than it sounds. I would suggest a wrapper that is specific to FFmpeg and supports only the options that your app needs to use.
An even better idea would be to see if you can implement this using a supported Apple API. Then you don't have to do any extra work.