In Deno you can make a runtime that cannot even access the filesystem.

That's a cool feature. Using jlink for creating custom JVMs does something similar.

That's a good feature. What you are saying is still true though, using the OS for that is the way to go.