When was this? I've only seen this "anti-rust" vibe in the past few weeks, guess triggered by the Bun rewrite. Zig people usually will tell you to use the right tool for the job over shilling the language or that you don't need to use it yet (if you want a stable language/documentation) the language will be there if you want to check it in a few years.
The language itself will probably stabilize in maybe 3 years. The last things they'll do is work on the std lib, documentation, spec. That will take time but the language will be ready before then.
Most users don't need it. Having it on by default is a feature for malware writers not users.
But to your point, Node has had permission flags for a while[0] but allows everything by default. Npm could use them to increase security even more. I just hope it doesn't take them another 10 years to change the default.
To me it feels more like the old "this site only supports IE6". Instead of checking which JS engine the user has, check for specific api support and fail gracefully.
Regarding runtime overhead, I'd assume you would still need an io implementation, it is just showing it to you explicitly instead of it being hidden behind the std lib.
For simple projects where you don't want to pass it around in function parameters, you can create a global object with one implementation and use it from everywhere.