When an agent fetches a URL, it's running someone else's content inside your stack. The naive setup — same network, same egress, same secrets — is a footgun the moment a model decides a malicious page's instructions are worth following.
We isolate every browser run inside an ephemeral worker with no inbound network, scrubbed env, and a per-run egress allowlist. The agent doesn't know what it lost; the rest of the system doesn't know it ran.
The shape we settled on: one boundary per run, no shared state, and a kill switch that doesn't require human review. It's boring on purpose.