I'm reminded of wuffs, which only allows writing libraries and explicitly doesn't support allocateing memory, requiring the calling program to provide memory. It seemed like a nice separation of concerns in my non-expert view. (And then wuffs compiles to C, which is nice for interoperability)
I hadn’t seen wuffs before. Interesting approach to writing safe libraries:
Wuffs is not a general purpose programming language. It is for writing libraries, not programs. Wuffs code is hermetic and can only compute (e.g. convert "compressed bytes" to "decompressed bytes"). It cannot make any syscalls (e.g. it has no ambient authority to read your files), implying that it cannot allocate or free memory (and is therefore trivially safe against things like memory leaks, use-after-frees and double-frees).