Questions
No — not unless your user says so. The client treats every server the way a browser treats a website: default-deny. Out of the box it cannot read a file, write a file, reach another host, run a subprocess, or open the browser.
Each capability is granted per origin — the specific server address the CLI talks to — so a grant you give one app never carries over to another. Storage is isolated the same way: each origin gets its own space and can’t see anyone else’s.
When your app legitimately needs something (say, writing a config file to ~/.myapp), the user grants exactly that path with the policy tool, and nothing more. A server can ask; it can’t reach past what it was given.
That’s the whole model: your users stay in control of their machines, and you get to ship a CLI that security teams don’t have to worry about.