[grashalm]

Any language can be sandboxed on the VM level. It's a property of it's implementation. So you can say that Lua has no sandbox friendly implementation right now.

For example, termination you can solve by unwinding the stack in efficiently polled safepoints. You need to take down the entire sandbox-capable Lua VM instance but you can.

[le-mark]

Lua has debug hooks that can be used for the purpose; for example an instruction counter coupled with a pool allocator should get one quite far. I would never trust third party bytecode, only source code.

Is anyone familiar with Roblox luau security features?

[Ono-Sendai]

Luau can be sandboxed, and scripts limited in cpu and memory usage.