Yeah this is the part that keeps me up at night honestly. The dev machine is the juiciest target and it's where the agent runs with the most access. Your ~/.ssh, ~/.aws, .env files, everything just sitting there.

The NixOS microvm approach at least gives you a clean boundary for the agent's execution. But you're right that it's a different threat model from prod - in prod you've (hopefully) scoped things down, in dev you're basically root with keys to everything.