1. Executive summary
- The assistant has the same permissions you do on your computer. It can technically reach your files — but the well-designed ones are built to stay inside the specific folder you point them at. Scope it to a project folder and that concern mostly disappears.
- Your saved passwords are safe from silent theft. Your computer's password vault requires a separate fingerprint/password check every time, which an app can't fake.
- The permission pop-ups are manageable: allow the one that lets the tool run commands (it needs that to work); decline the one asking for network-drive access (it doesn't need that).
- The biggest risk isn't the AI — it's autonomy. A tool you launch, watch, and close is a totally different risk level than an agent that runs on its own schedule while you're away.
- Your files do leave your computer with any cloud-based tool — similar to how online backup or a cloud document works. The protection that matters is whether the provider uses your data for training; paid/developer tiers usually don't, but verify it, because these terms change.
- You keep ownership of what you create. Using an AI to help doesn't hand your work to the provider, any more than using a word processor does. The real concern is confidentiality, not ownership.
- For maximum peace of mind, you can run these tools inside a separate user account on your computer — a real wall that the tool cannot see past. Optional, but the strongest single safeguard.
- Above all: make a conscious choice, not an accidental one. That's what this guide is for.
2. Start here: the command line is scary
If you've never used a "terminal" (the text-only black window where you type commands) or you've never let software act on your files before, a little anxiety is reasonable and healthy. Here's how to reframe it.
The terminal is just a different door into the same house. Everything you do by clicking icons — opening folders, moving files, running programs — can also be done by typing. The terminal feels intimidating because it's unfamiliar and unforgiving of typos, not because it's inherently dangerous. It's a tool that does exactly what it's told. Nothing happens until you press Enter.
You are always the supervisor. With a tool like Claude Code, nothing runs until you ask, and you can see each action as it happens. If anything looks wrong, you stop it instantly by holding Ctrl and pressing C (written Ctrl+C). Think of it like a co-pilot who narrates every move and hands control back the moment you say "stop."
You can't break your computer by reading this guide or by typing carefully. The genuinely destructive commands are specific and rare, and a good assistant won't run them without telling you first. The everyday work — creating files, organizing folders, building a small project — is low-stakes and reversible, especially if you're using version control (a kind of "undo history" for projects) or simple backups.
Start small and boring on purpose. Your first session should be something trivial: ask it to create a folder, or summarize what's in a file. Watching it do something harmless and useful builds the intuition far faster than reading about it. Confidence comes from a few low-stakes wins, not from understanding everything up front.
You don't need to understand the machinery to use it safely. You don't know how your car's engine works in detail, but you drive safely by knowing the rules of the road. This guide is the rules of the road. That's enough to start.
3. The one idea that explains almost everything
An AI assistant running on your computer has the same permissions you do. It is not locked in a tiny box the way a phone app is. It runs as you, which means it can technically reach anything your account can reach.
Almost every worry below is really a question about that one fact — and about the difference between can (what's technically possible) and will (how the tool is actually designed to behave, and what you allow it to do).
Hold that distinction and the rest becomes intuitive. The job isn't to make the tool incapable of overreach (it runs as you, so it's capable). The job is to scope what it sees, supervise what it does, and verify where your data goes. Three simple habits cover the vast majority of real risk.
4. Can it read my personal files — photos, documents, Downloads?
Technically: yes. In practice: it works inside the folder you point it at.
Because the tool runs with your permissions, nothing at the deepest level stops it from reading your home folder. But tools like Claude Code are designed to operate inside a working directory — the one project folder you launch them from — and they open files only as needed for the task at hand. They are not crawling your whole hard drive.
The simple, powerful habit: launch the tool from your project folder, not from your home folder.
In practice that means navigating into your project first. The command to "change directory" is cd:
cd ~/Projects/my-project ← good: a narrow, scoped workspace
claude
cd ~ ← avoid: this is your whole home folder
claude
(The ~ is shorthand for your home folder. cd just means "go into this folder.")
This isn't a locked vault — it's good hygiene that keeps the tool's attention narrow and dramatically shrinks what it would ever naturally encounter. For most people, scoping to a project folder is enough. If you want an actual wall rather than a habit, see Section 11.
5. Can it steal my passwords from the keychain / password manager?
No — not silently.
Your computer stores saved passwords in a protected vault (on Mac it's called Keychain; Windows and password managers have equivalents). The crucial design feature: opening that vault requires a fresh authentication — your fingerprint, Face ID, or login password — every single time, for each secret.
That means even though the assistant runs as you, it cannot quietly pull your passwords. The operating system puts a human-action gate in front of every secret, and software can't fake your fingerprint. "Runs as your user" is simply not enough to crack the vault.
Practical takeaway: your stored passwords are safe from background theft. The one habit worth keeping: don't paste passwords or secret keys directly into a chat prompt yourself — that's you handing it over, which is different from the tool taking it. The vault itself is not exposed.
6. Those scary permission pop-ups, explained
The first time the tool needs certain access, your operating system shows a dialog. This is your computer protecting you — a good sign, not a warning of danger. Here are the two you're most likely to see:
| The pop-up says… | What it actually means | What to do |
|---|---|---|
| "…would like to access files on a network volume" | Access to a network drive — storage that lives on another device or server, not your own computer's disk. Not your Documents folder. | Don't Allow. A normal coding or knowledge-work tool has no reason to touch network drives. |
| "…wants access to control Terminal" (or similar) | Permission to run commands — the basic ability the tool needs to actually do work (create files, run a task, check its own results). | Allow. Without this, the tool can't function. |
Counterintuitively, the one that sounds more alarming ("control Terminal") is the legitimate, necessary one, and the more innocent-sounding one (network volume) is the one to decline.
Two reassurances: these permissions are scoped to the specific app named in the dialog, and because you launch the tool and watch it run, you see every action and can stop it with Ctrl+C at any moment.
7. The big distinction: supervised tools vs. always-on agents
This is the single most important idea in the guide. The real risk multiplier isn't the AI itself — it's how much autonomy and persistence it has.
There's a meaningful difference between a tool you invoke, watch, and close, and an autonomous agent that runs continuously on its own schedule, taking actions while you're not looking — sometimes while you're asleep. Some community-built autonomous agents (you may see names like OpenClaw, formerly ClawdBot) are designed to run unattended, wake themselves up on a timer, and act across your whole system, your browser, your email, and more.
| Supervised tool (e.g. Claude Code) | Always-on autonomous agent | |
|---|---|---|
| When it runs | Only when you start it | Continuously, on a timer, often unprompted |
| Are you watching? | Yes — every action, in real time | No — it acts while you're away |
| What it reaches | The folder you point it at | Broad system access by design |
| Stopping it | Ctrl+C, instantly |
Only if you happen to be present |
| Where to run it | Your normal computer is fine | Its own docs often say: use a separate machine |
Here's the tell: when an autonomous agent's own documentation recommends running it on a dedicated computer or a Raspberry Pi instead of your main machine, that's a loud signal about its risk profile. A supervised, invoke-when-needed tool is a fundamentally different and safer category — even though it's the same underlying AI.
The same permission means different things in different hands. "Allow this to run commands" is perfectly fine for a tool you're actively supervising. It's a much bigger deal for an agent operating on its own while you're not there to judge what it's doing with that power. Autonomy is the variable to watch — not capability.
8. Where do my files actually go?
Any cloud-based AI assistant — whether it lives in a terminal or inside an app — sends the contents of the files it reads to the provider's servers in order to think about them and respond. That's the basic mechanism, and it's the same across these tools. It doesn't upload your entire computer; it transmits the specific files it opens for a given task.
A helpful comparison: this is not like a tool that runs entirely on your own machine and never phones home. It's more like online backup or a cloud document — your data travels to a server you don't own, and most people accept that trade-off every day without much thought. The honest question is simply whether your particular files are sensitive enough to deserve extra caution.
The terms that actually matter (and please verify — they change)
- Paid and developer-tier access usually defaults to not using your inputs and outputs to train the AI. This is typically a stronger protection than older free-chat defaults.
- Some tiers offer zero data retention (the provider doesn't keep your data after processing).
- These policies evolve and differ by plan. Don't rely on any article — including this one — for the current specifics. Check the provider's official privacy/terms page before putting anything sensitive through the tool.
If you want stronger guarantees
- Confirm you're on terms that exclude training use, and look for a zero-retention option.
- For the strictest privacy, a local model (AI that runs entirely on your own machine, with nothing sent anywhere) keeps everything in-house — at a real cost in capability, since local models are noticeably less capable than the big cloud ones.
- For most people most of the time, the sensible path is: use the cloud tool, on no-training terms, as a deliberate choice.
9. Do I still own what I make?
Yes. Using an AI to help create something doesn't transfer ownership to the provider — the same way using a word processor, a calculator, or a design app doesn't give those companies your work. You are the author: you set the goal, make the decisions, and direct the work. The AI executes under your direction. Reputable providers' terms do not claim ownership of what you produce — doing so would be commercially unthinkable.
So the real concern is not ownership — it's confidentiality. If your inputs were ever used to train the AI, fragments of your approach could, in principle, surface in other people's results later — not as a copy of your document, but as the distinctive shape of how you did something. For any single item the odds are low, and it can't be undone once it happens. That's precisely why the no-training terms in the previous section are the protection to confirm.
A note if you have a job: many employment contracts claim ownership of work done on company time or with company equipment. If you're building something personal, keep it cleanly separated — personal computer, personal time, personal accounts. And remember that a project's built-in history (version control timestamps) is a tool-independent record of what you built and when, which is useful evidence of authorship regardless of which AI you used.
10. Which tool should I use?
These tools often share the same underlying AI. They differ in interface, who they're built for, and where your files live while you work. Here's how the main options compare — including where the friendlier, non-terminal options fit.
Claude Code — the terminal tool
- Who it's for: people doing hands-on building (code, scripts, multi-file projects) who don't mind a text window.
- Privacy posture: runs on your computer as you; sends files it reads to the provider under your plan's terms; you supervise everything live. Scope it by launching from the project folder.
- Reach for it when: you want a capable, closely-supervised tool for real building work.
Claude Cowork — the "AI coworker" for non-coding work
- What it is: the same agentic engine as Claude Code, but built for everyday knowledge work and with no terminal required. It lives in the Claude desktop app. You grant it access to a specific folder, describe a task in plain language ("fill out this expense report from these receipts," "organize this folder," "draft a report from these notes"), and it plans and carries it out, checking in as it goes.
- How it compares to the others — this is the useful part:
- Versus Claude Code: same core capability, friendlier door. Cowork is for documents, spreadsheets, and files rather than code, and you steer it from a normal app window instead of a terminal. If the terminal is the barrier for you, Cowork is the same power without it.
- Versus an always-on autonomous agent (the risky category in Section 7): Cowork is much closer to the safe end of that spectrum, for two concrete reasons. First, it runs inside an isolated virtual machine — a sealed sandbox separated from your main operating system — rather than roaming your whole computer freely. Second, it asks for explicit permission before significant actions like deleting files. So while it is agentic (it acts, not just chats), it's a supervised, sandboxed, permission-gated agent — not an unattended one running on a timer. That combination is what makes it appropriate for a normal machine.
- Privacy posture: same provider terms as the rest; the main thing in your control is which folders you expose — be deliberate, just as with the CLI.
- Reach for it when: you want agentic help with documents and everyday tasks but don't want to touch a terminal.
Desktop app (chat with file access)
- Who it's for: people who want a guided, click-friendly experience.
- Privacy posture: same provider terms; the thing to watch is the scope of folder access you grant. Be intentional about what you connect.
- Reach for it when: you want a gentle on-ramp and you're thoughtful about access.
Cloud development environments (e.g. GitHub Codespaces)
- What it is: a disposable workspace that runs in the cloud, so nothing touches your own computer.
- Privacy posture: a genuinely different model. Your files live on the cloud host's servers for the session, and if you run an AI inside it, files also flow to the AI provider — so you're trusting two companies instead of one. The upside is real: your personal computer and files are never exposed at all. Strong isolation, broader cloud footprint.
- Reach for it when: keeping your own machine completely untouched matters more to you than minimizing how many cloud services are involved.
Quick chooser
| What matters most to you | Best fit |
|---|---|
| Keep everything on my own machine | Claude Code or desktop app, scoped to a project folder |
| Agentic help, but I don't want a terminal | Claude Cowork |
| Strongest isolation from my personal files | Cloud dev environment (e.g. Codespaces) |
| Absolute maximum privacy, nothing sent anywhere | Local model (at a capability cost) |
| Friendliest possible on-ramp | Desktop app — be deliberate about folder access |
| Hands-on building work, closely supervised | Claude Code (CLI) |
11. Optional: a dedicated user account for extra peace of mind
Here's a safeguard most people don't think of, and it's the strongest single thing you can do if you want a real wall rather than a good habit.
The idea: create a separate user account on your computer — the same way a household might have one login per family member — and do all your AI-assisted project work from that account.
Why it works so well: a separate user account is a genuine security boundary built into your operating system. An account simply cannot see another account's files, password vault, photos, or documents — regardless of what permissions a tool has within that account. So even in a worst case, a tool running in your "projects" account has no path to your main account's personal life. This is a real wall, not just a habit like folder-scoping.
The trade-off is convenience. A separate account means logging into it to work, re-installing your tools there, and switching accounts to move between "personal stuff" and "project stuff." For some people that friction is trivial; for others it's annoying enough to skip.
A tiered way to think about it:
| Level | What you do | Who it's for |
|---|---|---|
| Everyone | Launch tools from a specific project folder; supervise; verify terms | All users — the baseline habits |
| Extra caution | Do project work in a separate user account | The privacy-conscious, anyone handling sensitive material, or anyone who'll simply feel calmer with a hard wall |
| Maximum isolation | Use a cloud dev environment or a separate physical/virtual machine | Sensitive projects, or experimenting with more autonomous agents |
You don't need the higher levels to start safely — folder-scoping plus supervision covers most real risk. But if a hard boundary is what lets you relax and actually use these tools, a dedicated account is a very reasonable, one-time bit of setup.
12. Getting started: safe defaults
A short checklist that bakes in everything above.
- Install the tool using its officially recommended method, and confirm it installed (most tools have a
--versioncheck). - Sign in with your account when prompted.
- Accept any "terminal setup" conveniences if offered (things like multi-line typing) — these are cosmetic comfort settings and don't affect permissions or safety.
- Always launch from your project folder, never your home folder:
cd ~/Projects/my-project claude - Handle the pop-ups deliberately: allow "control Terminal / run commands" (needed); decline "network volume" access (not needed).
- Start with something small and boring — create a folder, summarize a file — to build confidence before anything ambitious.
- Watch it work. You can read every action and stop with
Ctrl+C. Your supervision is the main safety mechanism. - Check current data terms on the provider's official site before running anything sensitive through it.
- (Optional, for extra peace of mind) Do it all inside a dedicated user account (Section 11).
13. Mini-glossary
- Terminal / command line / CLI: the text-only window where you type instructions to your computer instead of clicking. "CLI" stands for command-line interface. It does nothing until you press Enter.
- Keychain: the protected vault on a Mac that stores your saved passwords. It requires your fingerprint or password to open each item. (Windows and password managers have equivalents.)
- Network volume / network drive: storage that lives on another device or server you connect to over a network — not your own computer's built-in disk.
- NAS: Network-Attached Storage — a hard drive on your network that multiple devices can share. A common example of a "network volume."
- Working directory: the specific folder a tool is operating in. Launching a tool from inside your project folder makes that folder its working directory, which keeps its attention narrow.
cd: the "change directory" command — it means "go into this folder."~(tilde): shorthand for your home folder.Ctrl+C: hold Control and press C to immediately stop whatever a terminal tool is doing. Your emergency brake.- Agentic / agent: software that doesn't just answer questions but takes multi-step actions on your behalf (reading files, running tasks). Agents range from supervised (you watch, it asks permission) to autonomous (runs on its own).
- Virtual machine (VM) / sandbox: a sealed-off computer-within-your-computer. Software running inside it is isolated from your real operating system and files.
- Version control: a system (like Git) that records the history of a project, so you can see what changed and undo mistakes. A built-in "undo history" and authorship record.
- Local model: an AI that runs entirely on your own machine, sending nothing to the cloud — maximum privacy, lower capability.
- Training data: the material used to teach an AI. The key privacy question is whether your inputs become training data — on most paid/developer tiers they don't, but confirm it.
This guide is a general-principles synthesis, accurate at the time of writing. The fast-moving parts — especially data-retention and training policies — change and vary by plan. Always confirm the specifics at the official source before relying on them. Nothing here is legal advice.