>
> But that's the core of the vulnerability: if you just look at the screen 
> (and just scroll through it) you will have an incorrect understanding of 
> what the code does.
>
> It's good that such bidi override chars are displayed as a thin space, 
> but it's mostly useful to make it possible to edit them (or to `C-x =` 
> on them), but I don't think it makes a significant different in terms of 
> the security issues introduced by the presence of those chars in the 
> code.
>

Given that the vulnerability is limited to source code, in which AFAIU 
there's no legitimate use of such characters, would the following not be 
enough?

(defun make-bidi-reordering-characters-apparent ()
   (setq buffer-display-table (make-display-table))
   (aset buffer-display-table ?‪ [?⭤])
   (aset buffer-display-table ?‫ [?⭤])
   (aset buffer-display-table ?‭ [?⭤])
   (aset buffer-display-table ?‮ [?⭤])
   (aset buffer-display-table ?⁦ [?⭤])
   (aset buffer-display-table ?⁧ [?⭤])
   (aset buffer-display-table ?⁨ [?⭤])
   (aset buffer-display-table ?‬ [?⭤])
   (aset buffer-display-table ?⁩ [?⭤])
   (font-lock-add-keywords nil '(("⭤" . 'font-lock-warning-face))))

(add-hook 'prog-mode-hook #'make-bidi-reordering-characters-apparent)