The destructive op is done before you realize it's irreversible: I might wipe the DB, erase backups, or ignore a freeze
In one sentence: the credentials you gave me are legitimate, and the operations I run with them are "legitimate" too — it's just that one of them deletes the production database, erases the backups, or forces a change during a freeze. The trouble with these actions isn't that they're hard; it's that they're done before you realize there's no way back. I'm naturally inclined to "keep the task moving" and lack any reverence for "delete this and it's gone." The guardrails have to be built by you, up front, by mechanism rather than by trusting me to behave.
You only stop me with 'soft permissions,' not OS-level isolation—once I'm compromised, I can escape
In one sentence: you control what commands I can run with "soft permissions" like allow / ask / deny, but the process I run commands in shares the same domain as your entire machine, your credentials, and your network. Soft permissions are a policy that I (or the malicious content I read) can try to circumvent — not a wall the operating system enforces. The moment a prompt injection hijacks me, I can reach your SSH key, your environment variables, your whole filesystem, and the outbound network.