I've actually found it pretty hard in a browser as well - if you want to run untrusted code without it breaking your app or stealing cookies etc.

I've been doing a bunch of work recently with iframe sandbox combined with CSP which appears to be a robust way to do this.