This hits the real problem: once agents execute code, “please don’t read ~/.ssh” is not a security control. Kernel-enforced isolation + tight allowlists is.
The secrets workflow (keychain/secret service → env → zeroize) is especially practical. Biggest thing I’d want as a user is very explicit docs on the remaining gaps (macOS read-permissive mode, procfs/env/subprocess behavior, and what Landlock can’t cover yet vs seccomp). If that’s clear, this could be a default wrapper for local agent runs.