Running arbitrary compositions of code in a highly locked down sandbox is easy.

If code inside an impenetrable sandbox does something dangerous, does it matter?

If a tree falls in the woods and there's no one around to hear it, does it make a sound?

But for the computation to do anything useful, it has to interact with the surrounding world.

For example, reaching out to the merchant's server to let them know the user has requested to buy the product.

That requires that sometimes the data must escape.

This is the hard part!

That "sometimes" is an absolute beast of a problem!