While it's a little unstable, I've found Docker's sbx to be a great sandbox to run agents with --dangerously-skip-permissions