With computers, this strategy doesn't work. Inside and outside have a way of switching places.
In Unix, the crown jewels were the root user; other user accounts were sandboxed. Code (in C) ran all types erased.
Time passed. Root grew vestigial, people stopped sharing computers. The crown jewels moved to user accounts.
Some possible lessons to draw from these sample points.
Sandboxing isn't about a single boundary. When designing VMs for adoption, build for isolation within the VM in addition to the boundary. Allow people to collaborate and run untrusted code within a single sandbox.
A 3-minute video showing what it's currently like to prototype programs on the Mu computer. There are lots of limitations. It's slow, and it can only handle short runs.
While these limitations will be relaxed over time, the goal is partly to nudge people to throw the prototype away once they know what they want, and rewrite it one level down. Therefore: encourage people to write lots of tests.
I tried and failed to implement Bresenham's line algo. Horizontal and
vertical lines work.
No macros => lots of lambdas.
The computer keeps crashing because I type too fast (still can't brain interrupt handlers). It frequently saves to disk, but as an s-expression. Reboots lose indentation.
Ok, edit on host -> create disk image.
I have lots of little buffers. When they overflow the computer crashes.
Without a call stack.
The bug wasn't in Mu or in Bresenham. I just typoed when I edited the disk image 😂
Still lots of catastrophic bugs that require editing the disk image. The disk is clobbered on reboot because I added support for reading multiple sectors from disk but still only write one sector.
A rudimentary, hokey capability system. No mouse yet. 'screen' is only used for text; pixel graphics currently go around it. 'data-disk' can't access code, and will eventually include finer-grained restrictions.
It wouldn't have been possible without the lovely folks over on #osdev. And the inspiration of ColorForth (https://merveilles.town/@akkartik/105906716550232992), though I still don't understand how that driver works.