It is clear that the complexity and possibilities of CPython introspection make unreliable attempts to blacklist interpreter parts. I believe that one of the main attempts was tav safelite . It is also not so difficult to cause CPython to crash , which opens up another way for using arbitrary code. To avoid running out of resources or using DoS CPUs from arbitrary code, it is probably not possible to perform an in-process (you will need a watchdog timer, system restrictions, etc.).
Something important for people who want to have executable code in the sandbox in Python is not to use their own (or just modify sys , __builtins__ ): itβs very easy to convince yourself that it is robust and yet missed some obvious workaround, bypasses your defense. Keep in mind that Python used a module that offered such protection, and even had glaring problems to avoid restrictions. IIRC, he was vulnerable to fishing for unlimited objects (through introspection) into a restricted environment.
However, pysandbox is written by the core of the Python developer, which believes that it is safe to restrict, for example. IO (and it includes a lot of previous research) and can work in the process as you want (albeit with a few smaller features, such as protecting DoS from CPU and memory usage).