I want a secure string type in JavaScript that can be reliably wiped from memory

I want a SecureString (or SecureBytes) type in JavaScript that allows sensitive string data — passwords, tokens, private keys — to be securely and deterministically wiped from memory once it is no longer needed.

Today, JavaScript strings are immutable and garbage-collected. As a developer I have no way to overwrite the underlying bytes of a string before it is freed, and the runtime gives me no guarantees that the GC will actually zero the memory when it reclaims the object. This means sensitive data can linger in process memory long after I am done with it, creating a window for sophisticated attacks such as cold-boot attacks or memory-scraping malware.

Typed arrays (Uint8Array, etc.) can be zeroed manually, but they do not integrate well with the many browser and platform APIs that deal in strings — form inputs, fetch, TextDecoder, crypto.subtle, and so on. Converting sensitive data back and forth between typed arrays and strings just to use these APIs defeats the purpose.

What I need is a string-compatible type that:

1. Can be passed to existing string-accepting APIs without conversion overhead.
2. Exposes a destroy() or wipe() method that overwrites the underlying memory with zeros before releasing the reference.
3. Prevents the runtime from making additional invisible copies (e.g., interned string deduplication) that would survive the wipe.

This would bring JavaScript in line with secure-string primitives available in other environments (e.g., .NET's SecureString, Rust's zeroize crate) and give security-conscious web applications a credible way to minimise sensitive data exposure in memory.