alt Hacker NewsAgentic workloads create and then run code. You don't want to just run that code in a "normal" environment like a container, or even a very well protected VM. There are other options, ofc - eg. gvisor, crossvm, firecracker, etc, but this one is uncommon enough to have a small number of attackers trying to hack it.
What's wrong with a well protected VM? Especially compared to something where the security selling point is "no one uses it" (according to your argument; I don't know how secure this actually is)