If you're on Linux, you can also easily run it in bwrap to properly sandbox without running a full container