Join Is Not Sandbox

Code composes a standard-library path-joining helper (filepath.Join, path.join, os.path.join) with a base directory and a caller-supplied path segment, reading the composition as a sandbox primitive. The helper's documented behavior is to clean `..` segments from the joined path; a caller-controlled segment with enough `..` walks the resulting absolute path outside the base. The function name and surrounding code treat the operation as scoping; the standard library defined it as normalizing. Sandboxing requires post-join verification, filepath.Rel with a prefix check or strings.HasPrefix(base + separator). Join alone provides none.