That's punting the problem in the same way SELinux did. Agent loops are useful precisely because they're zero config.

Problem: I want to accomplish work securely.

Solution: Put granular permission controls at every interface.

New problem: Defining each rule at all those boundaries.

There's a reason zero trust style approaches won out in general purpose systems: it turns out defining a perfect set of secure permissions for an undefined future task is impossible to do efficiently.