I'm not sure how much sandboxing can help here. Presumably you're giving the tool access to a repo directory, and that's where a juicy .env file can live. It will also have access to your environment variables.

I suspect a lot of people permanently allow actions and classes of commands to be run by these tools rather than clicking "yes" a bunch of times during their workflows. Ride the vibes.

That's the entire point of sandboxing, so none of what you listed would be accessible by default. Check out https://github.com/anthropic-experimental/sandbox-runtime and https://github.com/Zouuup/landrun as examples on how you could restrict agents for example.