[verdverm]

> Docker is too heavy for per-session

Why do you believe this to be true?

I don't agree, I use containers via Dagger

> Full network access

Not really a sandbox if the agent can make POST or GET requests to exfiltrate

[schmuhblaster]

Network can be closed down. It also uses a userland network stack, so future iterations might include being able to define rules for ingress and egress.