[andai]

A lot of people are already not reading all the code their agent generates. But they are running it. So the agent already has the ability to run arbitrary code. So I kind of don't understand the point of sandboxing at the level of the agent itself.

The whole thing should be running "sandboxed", whether that's a separate machine, a container, an unprivileged linux user, or what floats your boat.

But once you do that, which you should be anyway, what do you need sandboxing at the agent level for? That's the part I don't really understand.

Or is the point "well most people won't bother running this stuff securely, so we'll try to make it reasonably secure for them even though they're doing it wrong" ?