I use Firejail in the terminal as I am also concerned with the things you mentioned. bwrap is also a possibility. For simple usecases, they are not too intrusive. You can easily create a development profile that bans internet access and forbids read access to your important files. Then wrap CLI commands around that, or perhaps even the entire Bash session.

It's like a poorman's QubesOS. I also recommend setting up a userspace firewall like Little Snitch or OpenSnitch. Most malware requires Internet access to do harm. Those provide a good last line of defense. It's a shame the Unix model of giving coarse-grained access to user processes has not been patched. It's not that hard and it's a big security issue.