If you’re letting it access websites then presumably it’s open to prompt injection from those sites you’re accessing? I guess the attack surface is reduced if it doesn’t have access to anything useful beyond that.