It seems there's at least _some_ mitigation. I did try to have it use its WebFetch tool (and curl) to fetch a few websites I administer and it failed with "Unable to verify if domain is safe to fetch. This may be due to network restrictions or enterprise security policies blocking claude.ai." It seems there's a local proxy and an allowlist - better than nothing I suppose.

Looks to me like it's essentially the same sandbox that runs Claude Code on the Web, but running locally. The allowlist looks like it's the same - mostly just package managers.