I am certainly no expert in this space so it is quite possible I'm missing something critical, but what seems to work for me is a Podman image I built on my computer with some basic things I need (using OpenCode, but I imagine any other agent could be used instead):
FROM docker.io/archlinux:base
RUN pacman -Syu --noconfirm && \
pacman -S --noconfirm \
base-devel \
git \
curl \
uv \
opencode && \
pacman -Scc --noconfirm
RUN mkdir -p /etc/opencode
WORKDIR /workspace
From there I just run the Podman image from the command line (using a Fish function) that mounts the specific project I'm working on to /workspace. I guess there might be some vulnerabilities with shared kernels and such, but it seems like an easy way to have some isolation.This is how I started, and then I wanted to bring along creature comforts, not have to re-auth per box (for subscription models), had some skills I usually wanted to bring, wanted slightly different setups for different stacks, sensibly install multiple agents, import git identity (but not credentials), mount other code folders ro but only for certain projects, etc etc, and ended up with a full Docker wrapper.
As opencode is inside your container, credentials and API keys are also inside the container. Prompt injection when your agent fetches some web site could have your agent leak this credentials to someone.
Also, do you restrict networking or does your container have full access to your internal network?