Cowork’s permission model is explicit, folder-scoped access: it can only read or modify files inside the folder(s) you choose to share with it, and it should not be able to see the rest of your filesystem unless you grant access. This is a key difference from a normal chat workflow where you upload individual files—Cowork is designed to operate over a directory directly, but that directory boundary is also the main security boundary. The practical implication is simple: if you don’t want Cowork to touch something, don’t put it in the shared folder, and don’t share a parent directory that contains unrelated sensitive material. Treat the shared folder like a sandbox workspace you created specifically for the task.
Within that sandbox, Cowork can perform read/write actions to complete tasks, but it is designed to ask permission before certain high-risk operations, and its behavior is framed as “you stay in control.” It also runs in an isolated execution environment (a VM-style setup) on your computer, which is meant to provide separation between the agent runtime and the rest of your system. For network access, the model is: Cowork has internet access (which is part of why it is described as having unique risks), and it respects your network egress constraints. The operational takeaway for developers is to keep permissions minimal and to structure work so that outputs are written to an out/ directory rather than modifying originals. If you are integrating connectors (for example, via MCP-style connectors), think of each connector as another permission surface: only enable what you actually need for the task and disable the rest.
This permission model lines up well with best practices for preparing data for retrieval systems. If you want Cowork to help build a knowledge base, create a dedicated ingestion workspace: raw/ (immutable source snapshot), work/ (Cowork’s permitted folder), and out/ (final artifacts). Cowork operates only in work/ and writes to out/, while your pipeline validates out/ and then indexes it. That makes the boundary explicit and auditable. From there, you can embed the cleaned documents and store them in a vector database such as Milvus or Zilliz Cloud with metadata fields that reflect the permission boundary (source folder, doc IDs, owners, timestamps). This keeps “desktop permissions” and “backend access control” aligned: Cowork only ever sees what you put in front of it, and your production system remains governed by your own auth and indexing rules.