The thing that caught my eye immediately was the sandboxing. I have no idea why Node and npm don’t have sandboxing by default. It would greatly help with some of these worms and supply chain attacks.
Deno has that! Come join us :P no affiliation, just a happy user.
The "VM-isolated sandbox" is apparently not referring to the JavaScript VM but to a hypervisor, according to the text a bit further down on the page. I wouldn't expect that to be particularly fast or efficient, especially not if you're already running in a VM and have to use nested virtualization (if it's even available).