We anthropomorphize these agents in every other way. Why aren't we using plain ol' unix user accounts to sandbox them?

They look a lot like daemons to me, they're a program that you want hanging around ready to respond, and maybe act autonomously through cron jobs are similar. You want to assign any number of permissions to them, you don't want them to have access to root or necessarily any of your personal files.

It seems like the permissions model broadly aligns with how we already handle a lot of server software (and potentially malicious people) on unix-based OSes. It is a battle-tested approach that the agent is unlikely to be able to "hack" its way out of. I mean we're not really seeing them go out onto the Internet and research new Linux CVEs.

Have them clone their own repos in their own home directory too, and let them party.

Openclaw almost gets there! It exposes a "gateway" which sure looks like a daemon to me. But then for some reason they want it to live under your user account with all your privileges and in a subfolder of your $HOME.

chroot is not a security sandbox. It is not a jail.

Escaping it is something that does not take too much effort. If you have ptrace, you can escape without privileges.