Noodling on sandboxing models
"Before I built a wall I'd ask to know
What I was walling in or walling out"
With computers, this strategy doesn't work. Inside and outside have a way of switching places.
In Unix, the crown jewels were the root user; other user accounts were sandboxed. Code (in C) ran all types erased. As time passed. Root grew vestigial, people stopped sharing computers. The crown jewels moved to user accounts. Processes acquired bolt-on things like ASLR.
(Compare Java, which has strong types within the VM. At least until generics started erasing some types.)
Enter Wasm. Now the browser tab is the crown jewels. Compiling to Wasm erases types. As time passes, people will start living within the Wasm sandbox. And we'll start reinventing things like ASLR.
Lehmann, Kinder and Pradel, "Everything easy is hard again: Binary Security of WebAssembly"
Sandboxing isn't about a single boundary. When designing VMs for adoption, build for isolation _within_ the VM in addition to the boundary. Allow people to collaborate and run untrusted code within a single sandbox.
Oh, and don't erase types.