Thanks for the suggestions. Unfortunately I don't think this is practical. The path for guile will be different on different systems, so I can't just hardcode it. If someone has the ability to get on my desktop system and put a malicious binary named, say, ls in my home directory, I'm kind of screwed no matter what.

I also don't want to get into the business of maintaining and distributing my own sandboxed version of guile, nor do I want potential users to have to install such a thing just so they can use my code; one of my design criteria is that the program should not have any dependencies that are not available as debian packages. If I had the relevant time and knowledge of the Guile codebase, I think the thing to do would just be to offer the Guile folks a patch with an option like -s to run it sandboxed, and get that patch accepted into the standard version of Guile. But I think that would be jumping the gun, since I don't even know yet whether there is some easy, standard way to sandbox Guile.