There are a lot of options in this space. Armin Ronacher is working on Gondolin (https://github.com/earendil-works/gondolin) for example. I built agentd as a layer in front of this stuff so you can expose secure shell capabilities over the network as a tool rather than baking it into the harness, or running the harness in that environment.

Claude sandbox practically useless IMO. It gives read access to everything by default so its not deny-default.