Looks like the Ubuntu VM sandbox locks down access to an allow-list of domains by default - it can pip install packages but it couldn't access a URL on my blog.

That's a good starting point for lethal trifecta protection but it's pretty hard to have an allowlist that doesn't have any surprise exfiltration vectors - I learned today that an unauthenticated GET to docs.google.com can leak data to a Google Form! https://simonwillison.net/2026/Jan/12/superhuman-ai-exfiltra...

But they're clearly thinking hard about this, which is great.