VMs are missing the point here. Yes, you don't want a rogue MCP that lets the model exfiltrate random data from the disk. But in general we are tending towards a world where AI agents are allowed to do everything that people can do.

Really, what you should be looking at is that you've hired a potentially malicious person to do something on your behalf. Obviously if you don't give them access to your tax documents, they can't read your tax documents. But the kinds of tasks you will want this agent to do at some point are to manage your calendar, read your email, perhaps even summarize your finances. There's no VM that somehow patches the Wells Fargo site to only give you your bank statements and not let you send money to people. The idea of trying to "sandbox" this barely even makes sense because we haven't historically tried to isolate this kind of operation. But, as people keep putting models in new places, it's evident that something like that will have to evolve here. And it's definitely not going to be Qubes, or the JVM, or WebAssembly, or the dozen other things that people have been suggesting as solutions to the problem.