On windows I create a new locked down user with NTFS permissions denied everywhere except the target project path. I then run the agent app as that user with otherwise unrestricted powershell access.

Be careful running claude in a devcontainer with no other restrictions - it at least nominally knows how to jailbreak out of containers, even though it appears heavily moralized not to. If you (for example) feed it arbitrary web data that contains a prompt sufficiently persuasive to get to try, it's pretty capable of doing it.

Still leaves you open for data exfil. Your AI goes to a site to check documentation, but oh no that site wants it to make an API call with a very specific token.