> yet their sandboxed agent has access to all of their code, their github, and unrestricted web access.

Not in my sandbox. It gives no direct access to the workdir, no access to my github, my ssh keys, my security tokens or API keys. No access to my home dir or dotfiles. Nothing at all, except for what I explicitly tell it to give access to.

I can restrict network access. I can choose the isolation level: docker containers, Kata VMs, seatbelt, tart, even the new apple containers (which are VERY nice).

Not even ENV leaks through.

And it's FOSS: https://github.com/kstenerud/yoloai