Everyone talks about sandboxing the filesystem but nobody talks about what happens when the agent's work outlives the container. Reset happens, state is gone, you start over. I've lost more agent work to session timeouts than to any security issue. Isolation without persistence just means you lose progress safely.