Others may disagree with me, but fundamentally: with remote-code-execution-as-a-service, you can’t substantively change what folk can do with it beyond changing what the underlying server and kernel process can do. There are just too many ways to circumvent any countermeasures.
Some things you can do:
- run the server/kernel process in a more isolated fashion
- e.g. chroots, docker, vms, another computer, or all of the above
- these can still be escaped by a dedicated attacker, but if it must be…
- run everything against a read-only file system
- this makes many useful things fail
- run everything in the client’s browser e.g. jupyterlite
- you can expose some features behind, e.g. a REST API
- carries lots of its own issues