There's no sandbox of any kind, at least on Linux, and the permission system is self-defeating. The agent will ask to run something like `bash -c "npm test"` and ask you to whitelist "bash" for future use. I don't use it daily because I don't find it useful to begin with, but when I take it for a spin it's always inside a full VM.