Every agentic browser faces the same core risk: prompt injection. The difference is how you architect around it. Our approach: the AI agent runs in a completely isolated browser profile. Zero access to your cookies, logins, or browsing data from your main profile. No server-side retention. Never trains on your data. The alignment checker is firewalled from raw website content, reducing the risk of subversion by the same page attacking the task model. Everything happens in an open tab you can inspect and pause. We shipped this in Nightly behind a feature flag because agentic browsing is inherently dangerous and we said that publicly. We doubled bug bounty payouts for AI browsing vulnerabilities. The code is open source. You can build this responsibly or you can build it fast. We chose responsibly.