The thing is that on macOS at least, Codex does have the ability use an actual sandbox that I believe prevents certain write operations and network access.