Not just AI agents... basically, if you cd Projects/foo, that should be it's own user (for running npm, etc) that should not have access to parent user data (probably including github tokens, etc).