Your AI agent sandbox doesn't control what happens inside it

Put an AI agent in a Docker container. Lock the network down. Mount only the directories it needs. The agent can't reach the host, can't home to arbitrary domains, can't escape. But inside that box, it has access to every MCP tool you configured. It can read any file in the workspace, overwrite things, call APIs, send data wherever a tool points. The container doesn't know and doesn't care. This is the gap nobody talks about. Sandbox providers - E2B, Docker, Fly.io, Firecracker - have done good work on isolation.