Security noob here. Would it be sufficient (in addition to only local authorized access) to directly put the file in an unprivileged container, watching its log output? And of course limiting resource use and execution time of the container (don’t know if common container tools like docker or podman have a way to limit resources out of the box)

So lets say a simple interface for the file upload behind an authentication service, based on lets say python cgi, ramping up an unprivileged nonroot docker container, killing the container after a fixed time (a few seconds).