Turns out it's a full Linux container run using Apple's Virtualization framework: https://gist.github.com/simonw/35732f187edbe4fbd0bf976d013f2...
Update: I added more details by prompting Cowork to:
> Write a detailed report about the Linux container environment you are running in
https://gist.github.com/simonw/35732f187edbe4fbd0bf976d013f2...
Looks like the Ubuntu VM sandbox locks down access to an allow-list of domains by default - it can pip install packages but it couldn't access a URL on my blog.
That's a good starting point for lethal trifecta protection but it's pretty hard to have an allowlist that doesn't have any surprise exfiltration vectors - I learned today that an unauthenticated GET to docs.google.com can leak data to a Google Form! https://simonwillison.net/2026/Jan/12/superhuman-ai-exfiltra...
But they're clearly thinking hard about this, which is great.
> Does this solve the trifecta, or is the network still exposed via connectors?
Having sandboxes and VMs still doesn't mean the agent can still escape out of all levels and still exfiltrate data.
It just means the attackers need more vulnerabilities and exploits to chain together for a VM + sandbox and permissions bypass.
So nothing that a typical Pwn2Own competition can't break.
Honestly it sounds like they went above and beyond. Does this solve the trifecta, or is the network still exposed via connectors?