Yeah, that's what I was thinking: just throw the whole lot inside a Docker container and call it a day. Unless you're dealing with potentially malicious code that could break out of a container, that should isolate the rest of your machine sufficiently.

Alternatively, PyPy is actually fully sandboxable.

On Linux, you can also use `seccomp.` See, for instance, https://healeycodes.com/running-untrusted-python-code