I don't think we should ask the agent runtime to police itself.

I contributed to a tool for this problem that is lower-friction than traditional sandboxing:

greywall.io

But you should use something to contain an agent runtime. The idea that people run things like codex on their machines with regular user permissions is baffling to me.