I use bubblewrap. This ensures it only has access to the current working directory and its own configuration. No ability to commit or push (since it doesn't have access to ssh keys) or try to run aws commands (no access to awscli configuration) and so on. It can read anything from my .envrc, since it doesn't have access to direnv or the parent directory. You could lock down the network even further if you wanted to limit web searches.

  exec bwrap \
    --unshare-pid \
    --unshare-ipc \
    --unshare-uts \
    --share-net \
    --bind "$OPENCODE_ROOT" "$OPENCODE_ROOT" \
    --bind "$CURRENT_DIR" "$CURRENT_DIR" \
    --bind "$HOME/.config/opencode/" "$HOME/.config/opencode/" \
    --ro-bind /bin /bin \
    --ro-bind /etc /etc \
    --ro-bind /lib /lib \
    --ro-bind /lib64 /lib64 \
    --ro-bind /usr /usr \
    --bind /run/systemd /run/systemd \
    --tmpfs /tmp \
    --proc /proc \
    --dev /dev \
    --setenv OPENCODE_EXPERIMENTAL_LSP_TOOL true \
    --setenv EDITOR emacs \
    --setenv PATH "$OPENCODE_BINDIR:/usr/bin:/bin" \
    --setenv HOME "$HOME" \
    -- \
    "opencode" "$@"