It's not perfect but it does have a few opt-in security features: running all tools in a docker container with minimal mounts, requiring approvals for exec commands, specifying tools on an agent by agent basis so that the web agent can't see files and the files agent can't see the web, etc.

That said, I still don't trust it and have it quarantined in a VPS. It's still surprisingly useful even though it doesn't have access to anything that I value. Tell it to do something and it'll find a way!