Comment by prakashsunil

Author of LDP here [1].

The core issue seems to be that the security boundary lived inside the agent loop. If the model can request execution outside the sandbox, then the sandbox is not really an external boundary.

One design principle we explored in LDP is that constraints should be enforced outside the prompt/context layer — in the runtime, protocol, or approval layer — not by relying on the model to obey instructions.

Not a silver bullet, but I think that architectural distinction matters here.

[1] https://arxiv.org/abs/2603.08852