On linux I devised this strategy for letting llm webuis or coding agent to securely run programs by burying their environment under multiple layers of locally arranged sandboxing.
Basically: run as another user -> run inside firejail sandbox -> run inside a stripped down alpine linux vm with smolvm.
P.S. directories can be easily shared between the sandboxed guest and the host os
P.P.S. to stay a bit more on the safe side I also changed the name of the package manager for the guest os to something else so that when a coding agent would try to autonomously install external packages it will fail. I've then instructed it to (politely) ask for whatever it needs to be eventually manually installed by me
Basically: run as another user -> run inside firejail sandbox -> run inside a stripped down alpine linux vm with smolvm.
See the whole procedure here: https://www.reddit.com/r/LocalLLaMA/comments/1tm93ng/how_i_d...
P.S. directories can be easily shared between the sandboxed guest and the host os
P.P.S. to stay a bit more on the safe side I also changed the name of the package manager for the guest os to something else so that when a coding agent would try to autonomously install external packages it will fail. I've then instructed it to (politely) ask for whatever it needs to be eventually manually installed by me