The lean MicroPython runtime is a widely adopted high-level programming framework for embedded microcontroller systems. However, the existing MicroPython codebase has limited security features, rendering it a fundamentally insecure runtime environment. This is a critical problem, given the growing deployment of highly interconnected IoT systems on which society depends. Malicious actors seek to compromise such embedded infrastructure, using sophisticated attack vectors. We have implemented a novel variant of MicroPython, adding support for runtime security features enabled by the CHERI RISC-V architecture as instantiated by the CHERIoT-RTOS system. Our new MicroPython port provides hardware-enabled spatial memory safety, mitigating a large set of common runtime memory attacks. We have also compartmentalized the MicroPython runtime, to prevent untrusted code from elevating its permissions and taking control of the entire system. We perform a multi-faceted evaluation of our work, involving a couple of qualitative case studies and a quantitative performance analysis. The first case study demonstrates that a reported MicroPython CVE featuring a heap buffer overflow is no longer possible. The second case study demonstrates that compartmentalized library code mitigates against software supply-chain attacks via untrusted third-party libraries. The performance analysis shows a geometric mean execution time overhead of 45% for secure execution across a set of Python benchmarks, although we argue this is indicative worst-case overhead on our prototype platform and a realistic deployment overhead would be significantly lower.