I don't think this is actually memory-safe. It sounds like the JavaScript-specific parts of the VM are untrusted, i.e. bugs in it won't violate memory safety. But the core GraalVM compiler and its optimizations would still have to be trusted (or if not, the post doesn't explain why not).

(I wrote the article).

The optimizations do have to be correct. However, there are some significant factors that make it a lot easier in the Truffle architecture:

1. The optimizations are themselves implemented in a language with memory safety and lots of static analysis tools, so they're just less likely to be buggy for the usual reasons.

2. Most of the complex optimizations that matter for a language like Javascript or Python are implemented in the interpreter, which is then partially evaluated. In a classical language VM complex optimizations like PICs, specialization, speculation etc are all hand coded in C++ by manipulating compiler IR. It's a very unnatural way to work with a program. In the Truffle architecture they're implemented in normal Java in relatively straight-line logic, so there's just far fewer ways to mess up.

3. The intrinsics are also all written in a memory safe language. Buggy intrinsics are a common cause of compiler errors.

It is nonetheless true that at some points the program is transformed, and those transforms can have bugs. Just like how languages with memory safety and strong standard libraries don't eliminate all bugs, just a lot of them. It's still a big upgrade in correctness, I think.