> create a symlink that allows them to browse outside the bind mount Could you reproduce that? iiuc the symlink that the agent creates should follow to the path that's still inside the container.

You could try something like this https://github.com/andersonjoseph/jailed-agents

I'm actually moving to containerised isolation. I realised the agents waste too much time trying to correctly install dependencies, not unlike a normal nixos user.

I switched from iCloud Mail to Fastmail and I’m happy.

I grew up with every service enshitified in the end. Whoever has more money wins the race and gets richer, that's free market for ya.

At a certain point though we can't only blame the free market or the companies. Consumers should know better than to choose products that are anti-consumer. The fact that they don't know better and don't care is the bigger problem. Until we figure out what to do about that any solution is going to be dangerously paternalistic.