I just spent a lot of yesterday tweaking a docker image with xfce and vs code so I can just let codex go full access mode without too much worry in a throwaway sandbox. The agent runs similarly-namespace-constrained and without sudo. I think it's a relatively safe middleground- do you really think container escape is still a big deal here?

Finally getting this setup also allowed me to very quickly troubleshoot what was breaking my build in the codex cloud hosted container which obviously has even less risk attached.

Now I'm juggling and strategizing branches like coding is an RTS game... and it feels like a super power. It's almost like unlocking an undiscovered tech tree.