The solution I go for is, don't ever run a coding agent on a general purpose machine.

Use a container or VM, place the code you're working on in the container or VM and run the agent there.

Between the risk of the agent doing things like what happened here, and the risk of working on a malicious repository causing your device to be compromised, it seems like a bad plan to give them access to any more than necessary.

Of course this still risks losing things like the code you're working on, but decent git practices help to mitigate that risk.