I don't want to isolate the container from the Internet :-) I understand that this is not the safest possible way (exfiltrating is still possible, but I mostly work on open source anyway, so that's not an issue), but I think the convenience wins here.

That said, if you have suggestions that are not super inconvenient, please let me know.

My main goal with this was to make sure it cannot go wild on my own system.