The billion engineers building sandbox tools at the moment are missing the point. Sandboxing doesn't matter when the LLM is vulnerable to prompt injection. Every MCP server you install, every webpage it fetches, every file it reads is a threat. Yeah you can sit there and manually approve every action it takes, but then how is any of this useful when you have to supervise it constantly? Even Anthropic say that this doesn't work because reviewing every action leads to exhaustion and rubber stamping.

The problem is not what the LLM shouldn't have access to, it's what it does have access to.

The usefulness of LLMs is severely limited while they lack the ability to separate instructions and data, or as Yann LeCun said, predict the consequences of their actions.

Yup. I just wrote about this last week: https://tachyon.so/blog/sandboxes-wont-save-you

Of all the problems in agent security, sandboxing solves the easiest problem.