> proper whitelists for allowed commands (you can run uv run <anything>, but rm requires approval every time)

This is a nearly impossible problem to solve.

uv run rm *

Sandboxing and limiting its blast radius is the only reliable solution. For more inspiration: https://gtfobins.github.io/