I think OpenAI's Codex does this. Not sure to what degree, but sandboxing seems to be a priority for that project. Possibly to their detriment since last time I tried it it was not nearly as good as Claude Code.

Codex-cli does use MacOS sandboxing by default. It does unfortunately cause issues for my workflow because the agent is very restricted in what it is allowed to do (like, read/write the Go build cache) and its command whitelisting configurability is currently nonexistent. I'm looking into using containers to allow the agent more autonomy within its environment.