You are essentially describing the system that Codex (and, I presume, Claude Code et al.) already implements.

The devil is in the details. How much of the code running on my machine is confined to the sandbox vs how much is used in the boostrap phase? I haven't looked but I would hope it can survive some security audits.