Well if you just want static vector fonts alone you don’t need anything programmatic; vector images are not inherently code anymore than raster ones. For TrueType I’m pretty sure the VM is only for hinting. OpenType has more flexibility but I haven’t anecdotally seen many vulnerabilities around OpenType. I suspect Type 1 is subject of many vulnerabilities specifically because it’s old code that doesn’t get as much usage.