1. Any tool that reduces the privileges of your application code, such as Osgood or Deno, is doing so because application code cannot necessarily be trusted, since you're pulling in external dependencies that can have vulnerabilities or malicious code, and even one's own code may have unknown vulnerabilities that may cause unexpected IO behaviour to happen.
2. The policies you can set with Osgood are defined in a JavaScript file that is run separately from your application code (i.e. the worker files), and it only runs once to build up the policy data structures in native code. This V8 Isolate is then discarded. This means that application code cannot modify its own policies.
To clarify a few things:
1. Any tool that reduces the privileges of your application code, such as Osgood or Deno, is doing so because application code cannot necessarily be trusted, since you're pulling in external dependencies that can have vulnerabilities or malicious code, and even one's own code may have unknown vulnerabilities that may cause unexpected IO behaviour to happen.
2. The policies you can set with Osgood are defined in a JavaScript file that is run separately from your application code (i.e. the worker files), and it only runs once to build up the policy data structures in native code. This V8 Isolate is then discarded. This means that application code cannot modify its own policies.