How do we actually guarantee sandbox isolation when local LLMs have tool access?

Maybe this is a very basic question. But we know that giving local models tool call access and filesystem mounts is inherently risky - the model itself might hallucinate into a dangerous action, or get hit with a prompt injection from external content it reads. We usually just rely on the agent framework's built-in sandboxing to catch whatever slips through. I was reading through the recent OpenClaw security audit by Ant AI Security Lab, and it got me thinking.