I still manually approve tool use requests at the start of a run. As it gets deeper in I might allow it to run safer commands without that oversight (e.g. writing to local text files), but potentially destructive execution still requires approval.

As for the local env, I'm treating the Android terminal as a sandbox. Anything gets trashed I just reset and reinstall my toolchain.

I won't pretend I'd use this workflow for anything high-stakes. But for simple things like "I wonder how my Hue lights actually work?", its viable.