Great question! As mentioned in our talk (https://youtu.be/8fiYVyISyz4), we use Cilium to restrict network traffic out of certain workloads running on the cluster. These are L7 network policies. We call this a "data sandbox" because we are restricting the flow from these workloads.