I'm still happy with my containment setup[1][2] on linux. The only risk that I see from the article would be the "Exfiltration through an approved domain" one. But in the VM there's (by design) nothing to exfiltrate besides the source code itself, which is less valuable these days.
The major benefit for me with this setup is that the agent can do all of the dev things that I can (install packages, build/run docker images, ...) which is a way faster loop than me trying it manually and then reporting back to the agent.
[1] https://blog.emilburzo.com/2026/01/running-claude-code-dange...
Agent can get tricked into using a malicious library in your project, commit and push that, which you then run outside the VM.
So if you ever run the repo code outside the VM and don't review everything committed, you are still at danger.
It doesn't have any credentials inside the VM though, not even for git, so it could commit but not push. And I manually review/commit/push outside of the VM since I don't want to just dump stuff without reading it first.
But good call-out if someone uses a different workflow.