[naasking]

> 'Safe' filesystem access? Honest question, but what would that look like?

Safety is a spectrum. Consider a file system API that didn't let you obtain access to a parent directory, and didn't let you ambiently designate any path you like via an unchecked string and turn said string into a real handle to whatever lies at that path. Your program starts with a handle to what it's allowed to reference.

Any subroutine you passed a directory handle then couldn't obtain anything outside of that path (effectively a jail), and any subroutine that wasn't passed any handles can't read or modify the file system at all.