Only disable the sandbox when a command actually fails due to it

Do not use dangerouslyDisableSandbox: true unless a command has already failed due to a sandbox restriction. Commands like find, ls, make, and operations within the project directory work fine in the sandbox.

Why: Unnecessary sandbox bypasses trigger an approval prompt for the user. User noticed excessive prompts from preemptive bypasses.

How to apply: Default to sandbox. Only retry with dangerouslyDisableSandbox: true after seeing 'Operation not permitted' or access-denied errors for paths outside allowed dirs.