Check out https://github.com/anthropic-experimental/sandbox-runtime, which tackles this problem using the built-in userspace sandboxing on macOS and Linux.

I run Claude from a mounted volume (but no reason you couldn't make a user for it instead) since the Deny(~) makes it impossible to run from the normal locations.

export CLAUDE_CONFIG_DIR=/Volumes/Claude/.claude

Minimal .claude/settings.local.json:

    {
      "permissions": {
        "allow": [
          "Read(/)",
          "Read(~/.claude/shell-snapshots/\*)",
          "WebSearch",
          "WebFetch(domain:example.com)"
        ],
        "deny": [
          "Read(~)",
          "Write(/.claude/settings.local.json)",
          "Write(/method_filter.py)"
        ]
      },
      "sandbox": {
        "enabled": true,
        "autoAllowBashIfSandboxed": true,
        "allowUnsandboxedCommands": false,
        "network": {
          "allowLocalBinding": true,
          "httpProxyPort": 9655
        }
      }
    }