By default you have to approve every command it runs. I think most people end up allowing certain tools through unconditionally, like grep, but which is technical not bullet proof but feels pretty safe. The agent program also has some guardrails to prevent the model from working outside of the working directory you launched it from, that is also not bulletproof but in practice works pretty well.

You could set up a docker image and run it in that if you wanted.