When Weave runs tools against a project, it confines what those tools can see and do. On Linux there are two layers: Bubblewrap for access isolation and OverlayFS for write review.
Turning it on or off
Sandboxing is controlled under Settings → Security. On Linux it's on by default. It can be disabled, in which case tools run directly on the host, confined to the project directory only by path checks — a deliberately weaker posture, so Weave warns when it's off.
macOS: Bubblewrap and OverlayFS are Linux-only, so on Weave Lite the sandbox is always off and tools run host-side within the project directory.