TBF, Virustotal is a totally legit site that professionals use and trust. You just have to know how to interpret the results.
I've been using it for years when I have something suspicious to scan. Mostly for work.
Scanning just by "something like Avast" gives you the result of a single AV engine while Virustotal has a collection of about 70 AV engines (and is cooperating with all of those AV companies) that will scan your file at once, including that "something like Avast" that you would use on your PC.
Jiangmin is known for false positives. I haven't seen a Ren'Py game yet, that gets a clean bill from Jiangmin.
And I'm not familiar with the MaxSecure engine.
But when the top AV engines like ESET, BitDefender, F-Secure, Kaspersky, and quite a few others have no problems and only one or two of the total 70 claim to have found something, then there likely isn't anything malicious
inside the scanned file.
However, the problem is that in the code of any game can be a
completely normal command to
download something and run it. This something can be either legit
or malicious. They can do this at
any point of the game being run, not necessarily right after starting it.
None of the AV engines would be able to detect this and none of them do by scanning the passive code that hasn't been run.
So while you are welcome to try to scan these games on Virustotal or anything you like, you can never be sure that there is no such code in the game you just scanned and that seemed to be clean while scanning the passive code. Only a real-time AV scanner or a firewall that blocks unknown executables from internet would be able to detect such behavior
while running the game.
While none of the developers of the games have done anything like this, there has been a recent problem with a malicious
uploader on F95 who has been trying to hide such code into games downloaded directly from developers Patreon sites and posting them here as first uploaders in game threads:
https://f95zone.to/threads/recent-malware-infected-games.207437/
Getting new game updates from download links in the game thread OP a day or two after they have been posted instead of the links posted in the game thread by unknown new users or users with only a few posts the minute they've been posted is currently the safest method to avoid such uploads, besides getting them from the developers Patreon sites, that is.
So while running these games in Sandboxie or a VM without internet access is a good policy to keep your system clean,
scanning them using an AV engine while the game code hasn't been run yet is not something you can rely on.
Sandboxie itself won't block such downloads and they might have a chance to poison your Sandbox, so you'd be forced to delete/reset it. Blocking internet for the sandbox might help you to keep it clean.
Also, 2. and 3. are irrelevant. Doesn't matter where you extract it if you are going to run it in the Sandboxie sandbox. The files created or modified by Sandboxie are going to be in your sandbox on your system drive anyway.
Since this is offtopic here, it would be a better idea to ask such questions and find answers to them in the thread I mentioned above:
https://f95zone.to/threads/recent-malware-infected-games.207437/