Sandboxing is necessary but you still have to trust it with the thing it's supposed to operate on, that means it should be able do the job correctly and be resistant to prompt injections (social engineering in the case of that human worker example). In its current state neither is really possible. It's a system of a highly experimental nature, use your own damn sense, don't give it too much and don't rely upon it.