None of those methods are even remotely reliable for filtering out bad code. See e.g. this excellent write up on how many methods there are to infect popular repos and bypass common security approaches [1] (including Github "screening"). The only thing that works nowadays is sandbox, sandbox, sandbox. Assume everything may be compromised one day. The only way to prevent your entire company (or personal life) from being taken over is if that system was never connected to anything it didn't absolutely require for running. That includes network access. And regarding separation, even docker is not really safe [2]. VM separation is a bit better. Bare metal is best.
You'd have to write the standard libraries and OS as well. Not that it can't be done, but let's just say that people who tried that did not fare well in the mental health department.
If you go down this road there also isn't really much need to write anything yourself. After all, you'll be much more likely to include exploitable bugs yourself once you start messing with things you are not an expert in. So neither way is a good solution.
[1] https://david-gilbertson.medium.com/im-harvesting-credit-car...
[2] https://blog.qwertysecurity.com/Articles/blog3.html