Comment by realityfactchex

> user permissions/groups never come into the sandboxing discussions

Sometimes *nix user accounts for AI agent sandboxing does come up in discussions. At [0], HN user netcoyote linked to his sandvault tool [1], which "sandboxes AI agents in a MacOS limited user account".

Actually seems like a great idea IMO, to be lightweight, generic, and robust-enough.

[0] https://github.com/webcoyote/sandvault