I appreciate the irony of linking to this in PDF form.
If you want high-assurance security for untrusted input, the old solution from 1970’s mainframes was read-only firmware + removable storage. The firmware had to physically be changed out so software couldn’t affect it. The storage has to be write-protected as well. Today, it would be (at minimum) a BIOS w/ jumper write-protect + bootable Linux/BSD on storage with write-protect or write-once/read-many (eg CD-ROM). Obviously, either trusted peripherals or an IO/MMU to stop other persistence avenues. I used to keep it cheap by designing on VIA Artigo boxes since they’re tiny, use 25 Watts, & have crypto accelerator w/ TRNG. Use modern equivalent since probably cheaper by now.