Comment by jy-tan

Yes, currently writes are deny-by-default, but reads are allow-by-default.

The challenge is that most programs need read access to system paths (/lib, /usr, /etc, /proc) just to run. A pure "deny all reads" mode would require users to figure out every dependency, which might be painful.

That said, a middle-ground would be reasonable, perhaps something like "defaultDenyRead: true" that blocks home/cwd/etc but still allows essential system paths, then lets you opt-in with "allowRead".

Curious what is your use case that makes deny-by-default reads more helpful? Either way, will file this as an issue.