Here's a question for you: should your Personal Assistant have access to git push? Of course not. Every agent should only access the tools it needs. The tools.allow list whitelists specific tools. The tools.deny list blacklists them. If both are present, deny wins on conflicts.
For your Pair Programmer, allow gh, git, fs, and exec. Deny email, calendar, and sms. For your Personal Assistant, flip that list. If you enable Docker sandboxing per agent, each agent's container only mounts the binaries and paths it's allowed to use. Without these restrictions, a single prompt injection could let an agent access tools it was never meant to touch.