The only thing close to a guarantee is to give the agent exclusive access to a clean VM with precisely the information and permissions you want it to have.

I've been looking into a "workspace" concept that involves an entire cloud VM being spun up as part of an agent conversation such that code changes can be iterated without touching the user's local machine or other trusted contexts. All the agent's tools only have effect when supplied with a specific workspace guid. CLI tools like git are not authorized to talk to the remotes in this arrangement. The machine is initialized with a clone and no way to talk to origin. There are dedicated methods in the harness that can reach into the VM and pull out a change set for deterministic PR generation in the secure contexts (e.g. when the agent calls "ReadyForReview" or similar).

I made a lightweight vm specifically for this use case: https://github.com/smol-machines/smolvm

Sounds overkill, how about giving the agent its own user?