gozero: the wannabe zero dependency [language-here] runtime for Go developers
Native isolation on windows is supported only with the PRO version and is implemented via Windows Sandbox (which needs to be activated).
OSX implements native isolation via the command sandbox-exec. The command line interface is marked as deprecated, but the system functionality is actively supported, and profiles are still used in well-known software like chrome, firefox.
On Linux, the functionality is implemented with the default command systemd-run, which should be available on most systems and allow a vast fine-grained sandbox configuration via SecComp and EBPF
Sandbox is not enabled by default and needs to be used manually through sdk