"Still under development: do not use for production systems yet, there are known security holes that need to be closed."
Also note the experience of Figma who used the realms shim I think this project is using to secure Figma's JS based plug-ins system, only to promptly take a different approach when compromises were identified:
"Since we published this blog post, we decided to change our sandbox implementation to an alternative approach: compiling a JavaScript VM written in C to WebAssembly"
That's a fairly good indictment of browser sandboxing :)
I've had a few arguments with the person who leads SES over the past couple years, stemming from the idea that the realm shim is able to be attacked by new language features it doesn't know about. (for example, dynamic import exposing the outside environment).
I'd probably stick to a WASM VM unless JS exposed the ability to spin up a separate VM like that on its own (which is very unlikely to ever happen).
Also note the experience of Figma who used the realms shim I think this project is using to secure Figma's JS based plug-ins system, only to promptly take a different approach when compromises were identified:
https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...
https://www.figma.com/blog/an-update-on-plugin-security/
I am looking forward to Realms. Until then, I am doubtful of attempts to fully secure third party JS execution in the browser's engine.