The idea is to gate automatic secret replacement to specific hosts that would use them legitimately to avoid exfiltration.

Well, this is the hard part, but the idea is that if you're working with both untrusted inputs and private data/resources, then your agent is susceptible to the "lethal trifecta"[0], and you should be extremely limiting in its ability to have external network access. I would suggest starting with nothing beyond the single AI provider you're using, and only add additional domains if you are certain you trust them and can't do without them.

[0] https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/