That why I wrote "a VM or a separate host", "specific credentials" and "data provided to the agent must be considered compromised or leaked".

I should have added, "and every data returned by the agent must be considered harmful".

You should not trust anything done by an agent on the behalf of someone and certainly not giving RW access to all your data and credentials.