Recommended way of running docker within a sandbox?

[manfredlift]

I am using the upstream Pi coding agent profile that has been extended by myself. In some repos I have a need to do docker build or even docker run for testing. What's the best way to allow this with minimal security sacrifices?

Currently I just added below to the profile

     "allow_file": [],
     "read_file": [],
     "write_file": [],
+    "unix_socket": ["/Users/mliiv/.colima/default/docker.sock"],
     "deny": [],
     "bypass_protection": [],
     "suppress_save_prompt": []
@@ -33,6 +34,11 @@
     "listen_port": [],
     "custom_credentials": {}
   },
+  "environment": {
+    "set_vars": {
+      "DOCKER_HOST": "unix:///Users/<user>/.colima/default/docker.sock"
+    }
+  },