UPD: just released a library implementing all the features described below: https://github.com/asvd/jailed
When there is a need to run an untrusted code in JavaScript, one may jail it within a web-worker. But what makes it secure, also makes it restricted. One may only send messages and transfer json-serialized