This also doesn't protect from a "trusting trust" attack where the LLM read my webpage and gets tricked into inserting a vulnerability in the application itself working on.

I feel like the only good sandboxing at this point is one that also blocks generic web access.