Can anyone with more experience with systems programming tell me if it’s feasible to whitelist syscalls that are “read only” and allow LLMs free rein as long as their sub-processes don’t mutate anything?