You can set only allowed filepaths for file handling. I don't there's an explicit way to guardrail it to not run something bad from a shell though (althogh you need --no-preserve-root nowadays in that rm command). You'd have to check every command before running. It's anecdata but I've been doing this stuff for a good few months now and it's not tried to delete my filesystem or lock me out of an airlock, just yet.