I do to. Except I can't be burnt since I start each claude in a separate VM.

I have a script which clones a VM from a base one and setups the agent and the code base inside.

I also mount read-only a few host directories with data.

I still have exfiltration/prompt injection risks, I'm looking at adding URL allow lists but it's not trivial - basically you need a HTTP proxy, since firewalls work on IPs, not URLs.