Things on my workstation that the container does not have access to: browser cookies, 1Password cli, SSH keys (even if I allow the SSH agent socket), cargo publish tokens (unless it’s a rust project), npm tokens (unless it’s an npm project), and not to mention anything relating to my other clients (don’t compromise my employer when I vibe install some dep for a random side project).

On my personal machine, I run OpenSnitch. Much better defense against data exfil if you reject outbound connections to unexpected/unwanted hosts.

For credential stealing, that is true, but at least it would protect your local machine. But I just read these worms also try container escape ...

Watertight subdivision in a ship doesn't promise: "there'll never ever be water in this ship". It says: "If there's water in this ship due to one hole, it'll stay in one compartment". Note that I said one hole: you have the titanic, many compartment gets holes, that one ship is still going to sink.

(btw that the Titanic sunk is not an excuse not to secure other ships. And it did save a great many other ships to have watertight subdivision.)

So... Although there are exploits escaping containers and VMs and then bad guys doing lateral moves across machines, you still want defense in depth.