Rather, why do people still run agents as their own user. IMO, agent sessions should at least be containerised with just necessary code mounted.

Convenience. Want to run `docker run ...` without password, want IDEs and agents to be able to run containers...

Because it effectively makes no difference to my security posture. My user account also has sudo access (it requests TouchID but I also wouldn't die on the hill if someone said they have no password sudo access), and realistically everything of value on this machine exists in my home directory. Being able to escalate to root really doesn't give an attacker very much that they don't already have if they've got access to my user account.

Becuase a lot of devs don't know this stuff. There's a reason security engineers (as in SWEs who specialize in securing specific attack surfaces) remain in hot demand.