The good news is that some of these harnesses (like Codex) use sandboxing. The bad news is that they're too inflexible to be effective.

By default these shell commands don't have network access or write access outside the project directory which is good, but nowhere near customizable enough. Once you approve a command because it needs network access, its other restrictions are lifted too. It's all or nothing.