Any system that lets an LLM generate and execute code — a coding assistant, a data-analysis agent — needs to treat that code as untrusted, the same way you'd treat code from an anonymous internet submission. That means running it in an isolated sandbox with no network access by default, no access to secrets or the host filesystem beyond an explicitly mounted scratch directory, and hard resource limits (CPU, memory, execution time) to prevent both accidents and deliberate abuse.
The model doesn't have to be malicious for this to matter — it can generate genuinely dangerous code (an infinite loop, an accidental `rm -rf`, a fork bomb) simply by making an ordinary mistake at scale. Sandbox as if every execution might go wrong, because eventually one will.