I wrote this[1] for myself last year. It only gives access to the current directory (and a few others - see README). So, it drastically reduces the attack surface of running third-party Python/Go/Rust/Haskell/JS code on your machine.

1 - https://github.com/ashishb/amazing-sandbox

Just wrote up a quick article on how greywall[0] prevents this attack:

https://greyhaven.co/insights/how-greywall-prevents-every-st...

[0] https://greywall.io/