I give agents full el command execution access. Inside their VM, which doesn’t connect to any external DB or API (or at least, not critical /production ones) And I take periodic snapshots of all the files on the workspace.

Honestly those measures were the standard for me way before LLMs were a thing. Those who have broad permissions to production or when their machine were asking for this to happen, no agents required.