Being able to specify a read/write path is where it's at.
Here's the set of new deny flags, which have higher precedence over allow flags:
--deny-env=
--deny-sys=
--deny-hrtime
--allow-net=
--deny-ffi=
--deny-read=
--deny-run=
--deny-write=
Learn more here: https://deno.land/manual/basics/permissions
Discussion
Lol Deno would completely avoid the directory traversal attack from Pleroma this morning with this sandboxing configured