I'll also be running untrusted nimscript code in the not too distant future. I was planning to rely on os provided process sandboxing, but being able to lock down nimscript as suggested here would make my life easier. What's the general confidence level that this would actually work?
Can I lock down `staticRead/staticExec`? Should I assume that the code running in the nim VM can't read arbitrarily from my process's memory? I expect I'll still use os sandboxing in my official builds, but that doesn't do anything to protect the data in my process, so protection at the vm level would be very nice.
