There are several ways that processes can end up in the nopriv_ps.
To find out, you need to trace the lineage of the process back to its root -- who is its parent, grandparent . . . etc.
Once you figure out where the process spawned from, you will know what sandbox you need to edit.
One I recently came across that was a bugger was stuff running in the inetd_ps sandbox. Any child that is spawned from a process that runs in the inetd_ps is automatically sent to the nopriv_ps. In the inetd sandbox,you will see at the top of the general section "Specify in the list below programs to route to Daemon Stdpriv" and that is where you tell it what child process to assign to Daemon StdPriv.
This may or not be what you are running into, but I recently came across that.and it may help.
But like I said, tracing the processes back to their root is the way to go. To do this, make sure you have process assignment logging enabled globally, roll over the logs on the agent (to make sure there is room and the log wont roll over in the midlle of a reboot), then reboot the system.
After the system boots, grab a Get Agent Info, and open up the SISIDSEventsXXXX.csv file and filter by type PPST (process assignment) and find the columns with the pset/sandbox, PID and the Parent PID. Then locate the process in question that was assigned to the nopriv_ps. Then find its parent PID, and move to that PID, and repeat until you find the process that is NOT assigned to nopriv_ps, and that is the sandbox where you need to make changes.
Another thing I have seen are processes assigned to nopriv_ps is if you have any of the checkboxes in the default sandboxes check that say "Do not allow X to start" For instance the mysql_ps has that function.