> The proxy sits inside the VM rather than on our servers because only the VM knows provenance—from the server's perspective, a Cowork request is indistinguishable from any other API client.

That means the attacker can still exfiltrate files if they get root inside the VM.

Why not run the proxy outside the VM, still on the client?