[bioballer]

I/O can be sandboxed via flags.

For example, see these CLI flags: https://pkl-lang.org/main/current/pkl-cli/index.html#common-...

And when using the different language bindings, you can specify sandboxing options directly in that library.

[zelphirkalt]

How many people will run a malicious config at least once without the flags? At some point it becomes a numbers game.