> compute isolation means nothing if the sandbox can freely phone home.

Here's a project I've been working on to address the network risk. Uses nftables firewall allowing outbound traffic only to an explicit pinned domain allowlist (continuously refreshes DNS resolutions in the background).

https://github.com/noperator/cagent