Very interesting :) , although I have the feeling we already have some features in place (and others on the way) trying to solve this same problem.
- We already have "Shadow Realms", which doesn't really solve the capabilities problem, but at least provides a thin isolation layer (at least our globals are protected!). This is supposed to work in all JS environments, not just NodeJS.
- On top of that, there's work in progress to implement a permissions system (with experimental code already in place, that can be tested): https://github.com/nodejs/security-wg/issues/791