Do I understand correctly that you scope least-privilege creds/tokens and pass those to the sandbox? I'd be curious to learn more