Surely this is the elephant in the room, but the point here is that Apple as control over its ecosystem, so it may be able to sandbox and make entitlements and transparency good enough, in the apps that the bot can access.

Like I said: sandboxing doesn't solve the problem.

As long as the agent creates more than just text, it can leak data. If it can access the internet in any manner, it can leak data.

The models are extremely creative and good at figuring out stuff, even circumventing safety measures that are not fully air tight. Most of the time they catch the deception, but in some very well crafted exploits they don't.