The default sandboxing works fine for me. It asks before running any command, and I can whitelist directories for reading and non-compound commands.