> I'm flabbergasted that Anthropic and OpenAI aren't more worried about these attack vectors. It feels like amateur hour

I share your concern but it's not a correct characterisation to say they are not taking it seriously:

https://www.anthropic.com/engineering/how-we-contain-claude

My concern is people aren't even addressing this at the right level. People are currently thinking at the level of "how do I build a VM to contain this one agent" when this is actually a "design a whole new OS" level problem.