> container with explicit bind mounts

Someone correct me if I'm wrong, but if you're doing bind-mounts, ensure you do read-only, if you're doing bi-directional bind mounts with docker, the agent could (and most likely know how to) create a symlink that allows them to browse outside the bind mount.

That's why I explicitly made my tooling do "Create container, copy over $PWD, once agent completes, copy back to $PWD" rather than the bind-mount stuff.