Im curious about running User Submitted code in a way that
* Protects the host system
* Protects the host network
* Lets me constrain allowed URLs
* Lets me constrain run time resources
* Lets me accept more than one language easily.
At a quick glance it seems like theres a healthy balance of recommendations from nested virtualization (QEMU inside a locked down docker host) and WASM (this can imply many architectures).
So HN, if you were to create a sandbox system. What would you reach for?