allowing agents to "extend themselves" via bash forced us to move the whole fleet to gVisor. we run ~10k concurrent pods on k3s and standard container isolation just wasn't enough for arbitrary code execution. the runsc memory overhead is the price you pay for letting users safely install their own packages.