[JadeNB]

> If the language can only express safe actions, the program will not be malicious.

Because 'safe' is not well defined, I can't argue rigorously against this, but it seems like the sort of thing that falls afoul of Rice's theorem (https://en.wikipedia.org/wiki/Rice%27s_theorem): for most reasonable definitions of 'safe', you can have a proveably safe language or you can have a Turing-complete language, but not both.

[black_knight]

Rice theorem is not really applicative here. It is a beautiful theorem, but it has to do with what we can compute, while "safe" has to do with what one can access.

A function taking Integers to Integers in a pure language cannot do I/O, and thus is "safe" to run, in the sense that I can be guaranteed it does not contain a trojan making my computer into a peer on a botnet. This is true, even if I allow it to compute any computable function.

Computational expressiveness and "safeness" are in a sense orthogonal. And just as I don't think it is always appropriate for any function to do I/O, I am not convinced all functions should be able to perform any computation. But that's a different discussion.

Regarding definedness of the term "safe", I would say it is defined by your threat model. It not an absolute term, but dependent on context.