Credential isolation is one of the primitives most agent stacks skip until they ship to a second customer. At empla.io every customer gets a dedicated AWS container, which bounds the credential surface but does not solve the vault problem for user-delegated scopes. The harder half is trust, the biggest adoption blocker we see is data privacy anxiety especially with European users, so how credentials are stored matters as much as whether they can be leaked by the model. Gradual trust building helped us here, calendar access first, then email, then anything touching Drive, each level unlocks after the user has seen the previous one behave. Does Agent Vault enforce policy at invocation time, or is scoping static per credential?