[IanCal]

I feel like that would require work from the language side, or at least runtimes. Is there a way of stopping code in one package from, say, hitting the network?

You might be able to do this around install scripts, though disk writing is likely needed for all (but perhaps locations could be controlled).

[Filligree]

We've seen a lot of stunningly incompetent attacks that nevertheless get to a lot of people.

Yeah, it needs work from the language runtime, but I think even a hacky, leaky 'security' abstraction would be helpful, because the majority of malware developers probably aren't able to break out of a language-level sandbox, even if the language still allows you to do unsafe array access.

Then we can iterate.

[____tom____]

Java had support for something very like this, but no one used it, and they recently removed it. https://openjdk.org/jeps/486

It's too bad, it would be useful in this situation