"AI agents are not adversaries" is doing a lot of work for a product pitch. Supply chain attacks via pip install, prompt injection via fetched documents, and model hallucination all produce behavior indistinguishable from a malicious actor at the syscall level. Whether the agent "has intent" is irrelevant to the kernel. Defense in depth means you assume the threat model you're comfortable with is wrong

This is a fine start for filesystem and network policies. But before I’m ever going to be comfortable with an OpenClaw-like thing running on my system on my behalf, I’m going to want policies at an application level as well - which emails can be read, sent, deleted. Same for calendar entries and instant messaging, etc.