And it sounds like the proxy can be easily circumvented by the agent, since it only applies within the Node process and the agent can execute arbitrary external commands.

(The filesystem wrapper API sounds even more pointless. The risk it protects against seems insignificant compared to the other risks associated with their system.)