I created a Gemini project and trusted just that folder. I custom built godot with a module in a sibling directory, which it shouldn't have access to, but was able to run 'strings' on the binary. When I asked, it admitted fault and promised to control itself.