So having looked into this, this is a none exploitable security vulnerability in version 2.1.8 of the snap, as a result of the changes here
The gist of the bug comes down to the use of child_process.exec which runs in a Bash shell. As such, it interprets bash syntax (the &client_id=foobar literally runs as a bash expression). The fix is to instead use child_process.execFile()
From testing, user generated links did not use the same effected code path, so there's no possibility for e.g a maliciously crafted link to run arbitrary bash commands. Since the only effected links come from Joplin itself, they aren't malicious and don't have any impact (aside from not working for their intended purpose such as the Dropbox signup link).
This is embarassing for myself and I apologise for the last few weeks it means that the Dropbox authentication hasn't been working. Fortunately, the security concerns are at least eliminated (and there's a lot of defense in depth with the other aspects of the sandboxing that would have mitigated concerns if it came to), and going forward that same mistake won't be made twice.
2.1.9 will be rolling out in the next hour which fixes the problem and allows Dropbox to authenticate properly again.
Sorry for the inconvienience!