You're right, sudo to a user with read but not write permission on the relevantwill run a command in a way that only has write access to files is your best betyou give it permission for.
sudo -u some_user cmdname
Running arbitrary user-uploaded programs requires extreme security precautions. Local-root exploits are unfortunately not uncommon in Linux. Letting users run programs they upload without some kind of jail / containment, if not a virtual machine, is unwise.
You should build your system so it's still at least probably secure even if the uploaded program takes advantage of an unpatched root exploit, to elevate its privileges from nobody to root.