In what situation would "just embed python/lua/js/etc." not be the appropriate solution to this problem?

It's hard to sandbox python or lua and block I/O and all system calls. 1 mistake and player computers are compromised.

Even with JS in browser you can't just eval(), you need sandboxing like https://code.google.com/p/google-caja/ or https://github.com/jterrace/js.js/ (200 times slower than js).