alt Hacker News> Don't just rawdog a coding agent because a perfectly viable solution (containers) takes an hour or two of work to set up.
Setting up a separate unprivileged Linux user account takes all of like a minute. Assuming that the $HOME for your daily-driver account isn't world-readable, [0] that gets you the majority of the isolation that containerization provides and doesn't expose you to any bugs in the containerization management daemon (or the containerization code, itself) that may still be present even after all these years.
These things are usually TUIs or CLIs, so you don't need to bother with giving them xauth access or whatever the Wayland equivalents for that are.
[0] If it is, you might consider fixing that immediately.
See, I like this. "Create a new user account" is much better advice than "don't use a container".
My problem with the latter advice is that I know for a fact that people will read it, then continue to use absolutely no protection whasoever.
I have also wanted to use a simple file permission system, but I started with a container and I can't be troubled to switch yet.