pydantic/monty, vercel-labs/just-bash, amla sandbox, csl-core, microsandbox, workerd, wasmtime-mte

containers/bubblewrap: https://github.com/containers/bubblewrap#sandboxing

The bubblewrap readme mentions containers as binaries with binctr; I guess without overlayfs or other file-level re-deduplication due to the container fs in the binary.

Perhaps similarly, also TIL UKI are easier for UEFI Secure Boot to check signatures on than (kernel, initrd) pairs