The same reason we sandbox anything. All software ought to be trustworthy, but in practice is susceptible to malfunction or attack. Agents can malfunction and cause damage, and they consume a lot of untrusted input and are vulnerable to malicious prompting.

As for humans, it's the norm to restrict access to production resources. Not necessarily because they're untrustworthy, but to reduce risk.