> they're not sandboxes

Yes they can be, and Codex offers one. It uses Bubblewrap and seccomp on Linux which are perfectly capable of restricting filesystem access.

In a default setup every command is executed inside a restrictive sandbox and you're only asked for permission to run that command if the execution fails.

I don't necessarily think that it's a good idea to rely on these sandboxes as your only line of defense but that's absolutely a feature that they can, should, and do offer.