A simple solution is to use bubblewrap locally. Only bind mount specific directories into it and a copy of your vscode config (which you could merge any changes back if you need). Then you can install random extensions and let the AI wreak havoc generally without it leaking to your main system. On arch linux bwrap'ing vscode also seems to work without zypak.
