Both Agent Safehouse and Nono (get it, no-no?) use macOS sandboxing to execute agents.

Agent Safehouse

Pull down a self-contained Bash script with curl, and drop it in ~/.local/bin. Run your agent command prefixed with safehouse: safehouse opencode.
The tool auto-detects the git root of the working directory, applies a deny-all baseline, and layers on permissions for common toolchains.

Nono

Same, but installed with brew. Then nono run --profile claude-code -- claude to run a sandboxed agent.

Nono works on Linux as well, Agent Safehouse is macOS only. Nono is written in Rust, AS is all fish-shell scripting.

Founderland.ai mentions a few other:

Microsandbox and Agent Harbor lean on VM-level isolation. DevCage and AgentSphere target multi-platform or cloud deployments. Kilntainers gives each agent an ephemeral Linux sandbox via containers or microVMs.

May be worth investigating. It’s a fledgling space, so new tools will come and go.