This already exists: iframe sandboxes and content security policies. All we need now is a library that allows you to easily load, run, and interact with code in a sandboxed frame, using something like Comlink to make it feel as if it's all running in the same environment.
I know about CSP and iFrames, but I think they aren't ergonomic enough to be used as mechanisms to restrict deps right?
Iframes need a full web context whilst CSP cant target individual code blocks. For example, I might want my code to be able to do alerts, but I dont want dependency x to be able to.
EDIT: Ah I think thats what you meant by your "code in a sandboxed iframe thing". Fair.
