Synchronising a production instance to a sandbox, no matter which side is what, goes against all best parctices.
As per your description, the Salesforce may be switched to production. That would break the sync schema so badly you would need a brand new Marketo instance, loosing all work and data done on the broken one.
My suggestion is short and straightforward: negotiate a Marketo sandbox with your Marketo Account Executive. It is free for 30 days and, depending how it is negotiated, can be extended.
Anonymous leads should never be pushed to any CRM. They are not marketable. They have no value for Sales. How would your team contact those anonymous leads? Lead marketing automation nurture them, convert and then pass to the CRM.
That practice is valid for any marketing automation solution.