exactly, egress control is the second half of that puzzle. A perfect sandbox is useless for dlp if the agent can just hallucinate your private keys or pii into a response and beam it back to the model provider. it’s basically an exfiltration risk that traditional infra-level security isn't fully built to catch yet.