How are you handling isolation in practice — is it more like WASM-based sandboxing or OS-level isolation (containers, seccomp, etc.)?

Feels like this is one of the hardest parts to get right for agent-based systems.