As opencode is inside your container, credentials and API keys are also inside the container. Prompt injection when your agent fetches some web site could have your agent leak this credentials to someone.
Also, do you restrict networking or does your container have full access to your internal network?
I restrict networking via my pfSense router, using VLANs. I also don't include any credentials in the container; the agents there can't push, pull, or really access anything else beyond the standard tools without any authentication.
I don't use Claude or any other paid agent at the moment, so if that were to change I'd probably modify the way I run this, but with this simple set up I'm not too worried about credentials leaking.