If your chosen development environment supports it, look into distroless or empty base containers, and run as --read-only if you can.

Go and Rust tend to lend themselves to these more restrictive environments a bit better than other options.