What would you consider a tight sandboxed without exfiltration vectors? Agents are used to run arbitrary compute. Even a simple write to disk can be part of an exfiltration method. Instructions, bash scripts, programs written by agents can be evaluated outside the sandbox and cause harm. Is this a concern? Or, alternatively, your concern is what type of information can leak outside of that particular tight sandbox? In this case I think you would have to disallow any internet communication besides the LLM provider itself, including the underlying host of the sandbox.

You brought this up a couple of times now, would appreciate clarification.

> In this case I think you would have to disallow any internet communication besides the LLM provider itself, including the underlying host of the sandbox.

And the user too, because a human can also be prompt-injected! Prompt injection is fundamentally just LLM flavor of social engineering.