For something that lets you limit things like the number of instructions executed, accessible memory, or ways the code can interact with the outside world, I'd say WebAssembly is your best bet. You've already got control over things like the linear memory size and the concept of gas. The only way for your WebAssembly to interact with the outside world is via host functions, and most WASI implementations provide ways to specify what is accessible (e.g. only certain directories).
You don't say anything about the scripting language needed, but if your case allows you to nail that down, then you could always compile to wasm for them.
You can do it with V8 isolates, though you sometimes need to add process boundaries. It's way beyond my security knowledge, but there's a bit of discussion on that here: Ask HN: Pros and cons of V8 isolates? | Hacker News
You can do an awful lot with firecracker in terms of locking down syscalls, setting limits etc, from what I've read. It's how fly.io does their isolation.