If you provide your own functions/tools to the AI agent, wouldn't that let you do exactly that?

ie "Here AI, call this function -> local_exec(commmand_name, {param1, param2, [etc]})" to execute functions.

And you'd wire up your local_exec() function to run the command in the container however you choose. (chroot, namespace, ssh to something remote, etc)