like e.g. if we look at sandbox boundaries we have:

- some in language permission enforcement (e.g. Java Security Manage) -- this approach turned out to be a very bad idea

- process boundaries, i.e. take the boundary the OS enforces and lock it down more (e.g. by stuff like pledge, cgroups etc.) -- this approach turned out okayish

- VM boundaries (e.g. firecracker VMs) -- tourned out well

- emulation boundaries (e.g. WASM) -- mixed history, can turn out well especially if combined with worker processes which lock themself down

but what that means in practice is that wanting the reliably sand box library dependencies will most likely lead to more or less IPC boundaries between the caller and the libary

what that means is practice it's unsuited for a lot of thing

e.g. for most utility lib it's very unsuited

e.g. for a lot (but not all) data structure libs its unsuited and might be a huge issue

e.g. you can apply it to a web-server, but then you are basically reinventing CGI, AGI which okay but can quite compete with perf.

e.g. but you can't apply it to some fundamental runtime engine (e.g. tokio), worse you now might have one copy of the engine running per sandbox... (but you can apply it to some sub-part of tokio internals)

People have tried this a lot in various ways.

But so far this always died off in the long run.

Would be nice if the latest push based around WASM would have some long term success.

Nobody said it would be easy. As an analogy, the borrow checker makes working with memory much more limited, yet some people like it because it makes things safer.