That's kind of tangential though. The article is more about using sandboxes to allow `--dangerously-skip-permissions` mode. If you're not looking at the generated code, you're correct, sandboxing doesn't help, but neither does permissioning, so it's not directly relevant to the main point.
My point is that if the threat model is “agent got sensitive information and wants to exfiltrate it”, looking at the code isn’t going to save you. You’re already dead. This was the threat outlined in TFA.
I've noted a few tools seem to have this now if you dig into their settings. vscode has yolo mode and cursor seemed to have something as well. wild