Codex can read sensitive files outside the CWD without approval

If you directly ask Codex to read ~/.ssh/id_rsa, it will usually decline due to "safety concerns". However, the sandbox which the agent is running in doesn't restrict reads outside the working directory in any way and you won't even be asked for approval - it's just a prompt (injection) away. The Codex developers close issues related to this problem and simply suggest running Codex "in a docker container or VM" [1].

To quote the Codex security documentation [2]:

> We’ve chosen a powerful default for how Codex works on your computer. In this default approval mode, Codex can read files, make edits, and run commands in the working directory automatically.

> However, Codex will need your approval to work outside the working directory or run commands with network access. [...]

As a new, naive user (which I was), I'd assume based on the text above that Codex wouldn't be able to extract secrets and read my browser history or whatever else on my PC if I started it in VSCode for example. Running Codex in a Docker container or VM is totally valid and quite a few people are probably doing that, like in a CI/CD pipeline, however, that's definitely the minority.

How is this not a bigger deal? In my experience, other agentic tools like Claude Code give the user much more control in regards to safety and what OpenAI is doing here feels highly irresponsible IMHO.

[1] https://github.com/openai/codex/issues/5237#issuecomment-3536026833

[2] https://developers.openai.com/codex/security/