There's an interesting paper on how to sandbox that came out recently.

Summary here: https://simonwillison.net/2025/Apr/11/camel/

TLDR: Have two LLMs, one privileged and quarantined. Generate Python code with the privileged one. Check code with a custom interpreter to enforce security requirements.