I'm not talking about the maturity of the project but more about the concept of the feature flag for security.

Node.js had a PR to add that in (with packages enforced but not your 'own' code) and Node has policies to deal with loading untrusted code ( https://nodejs.org/api/policy.html ).

Personally I isolate with OS level containers as I think it's a lot more robust and tested but I definitely see the merit in Deno exploring this - even if it doesn't really work yet it's interesting.

I thought node.js policies were basically just SubResource Integrity hashes? Are they planning for something more?

I’ve been looking into the isolated-vm module recently and it looks pretty nice. Fly.io built their run-untrusted-code service on top of it.

I like the idea from a ux perspective. It puts the control in a place where the user runs the code.