One benefit is that this can run in serverless / sandboxed containers where OS primitives are not exposed or heavily limited. I immediately thought of Cloudflare Workers, which runs on V8 and exposes WASM-only interfaces, using Workers AI.
Further, servers still have hosting value, but any business running agents is almost certainly going to want a sandbox that limits what code runs for agentic work, so targeting _sandbox_ environments is probably the better bet long-term. And, yes, you could implement your proposal in any chroot jail or gvisor, but nobody wants to get their hands dirty finnicking with that - programmatic access control beats file-based access control for the simple reason it's managed for you.
If anything, my critique of OP's implementation is actually the opposite of yours: they've chosen the right primitive and layer, but people really need contextual access control rather than RBAC. Sort of like ongoing zero trust. If it was possible to inspect the context, decide if it was a bad idea to allow the tool call, without exposing the decider to untrusted context, you could have something that really changes things.
Completely agree, though the LLM part of the scanner can help with that contextual part of the analysis.
Runtime enforcement already exists (the embedded governor wraps tool calls in-process); extending it with a quarantined contextual evaluator like you describe would the logical next step.
Thanks for the feedback, actually will raise an issue on that to explore