You can use pledge[1] to restrict the tool to read/write only in specific directories, or only use certain system calls. This is easier to run than from a container or VM, but can be a bit fiddly to setup at first.

Assuming you trust it with the files in your codebase, and them being shared with third parties. Which is a hard pill to swallow for a proprietary program.

[1]: https://justine.lol/pledge/

We always reset the directory back to the project directory on each command, so that helps.

But we're open to adding more restrictions so that it can't for example run `cd /usr && rm -rf .`