How to isolate builds with MacOS?

I have one question with the GitLab Runner at MacOS. How can I ensure the isolation of the builds? As far as I know, the only way to really run the code on a MacOS is using bash, right?

I don’t want the users having access to the root system.