Rust is interesting to deal with some hard problems keeping a multicore program safe and efficient, but I'm sure sandboxing will provide a better tradeoff for a lot of things (and as sho_hn points out, Harfbuzz correctly embeds a lot of domain knowledge from multiple cultures). C can be locked down pretty tight, see for example ZeroVM which restricts it to pure functional code.