Can't the facility just as well try to nuke the repository and every remote it can push force to? The thing is that with prompt injection being a thing, if the automation chain can access arbitrary remote resources, the initial surface can be extremely tiny initially, once it's turned into an infiltrated agent, opening the doors from within is almost a garantee.

Or am I missing something?

With some agents running in VS Code, just altering .vs code/settings.json is enough to lift agent's restrictions.

Yeah we generally don’t give those permissions to agent based coding tools.

Typically running something like git would be an opt in permission.