AI cannot be trusted with an incomplete sandbox

[bakkot]

One of the motivating use cases is AI, which is to say, running sloppy but not actively hostile code:

Encapsulate AI code to avoid it coming up with matching globals elsewhere or producing misguided attempts at polyfills inline
Doesn't need to be security-grade isolation to contain impact of faulty code
Generated code can interact, import and call functions regardless of the isolation

The assumption appears to be that such a sandbox is sufficient to contain the code written by an AI under your direction.

This, I think, is a serious misunderstanding of where AI is at today. LLMs, especially but not exclusively Claude, are notorious for using whatever tools are available to them in order to meet their nominal objective. I am quite certain that if Claude decided it needed access to the outer global for some reason then it would have no compunctions about writing code which reached for (function(){}).constructor in order to get that.

[naugtur]

The ultimate goal is to use the Global as a building block for complete isolation of the Compartment kind. That's where the details like keys and resulting properties on a global being configurable come from.

I'm trying to present the varying levels of isolation this proposal is capable of. Even the most basic isolation would be a major step-up compared to what web developers do now. And It would be useful when the AI doesn't expect to be running in isolation.
The use case in which we don't claim any security guarantees is low effort and low impact on ecosystem compatibility (so AI can regurgitate known patterns without learning anything new about the environment)
When you consider AI safety - as in being sure even intention alignment going wrong is covered - the Principle of Least Authority motivating use case is more suitable.

That being said, your feedback is well received and I'm looking forward to getting help figuring out where to draw the line and which behaviors to make default.