Unless you use --unshare-net, bwrap leaves the network wide open by default. The agent can not only accidentally delete a file, but also exfiltrate keys or download a malicious package
As a next step I'd add a network namespace (--unshare-net) and spin up a local HTTP proxy (mitmproxy) inside the sandbox to allow access only to Anthropic APIs and maybe PyPI/NPM, while blocking everything else