CHERI can provide heap temporal safety to protect against use-after-free (really, use-after-reallocation; use-after-free is harmless until the point at which the memory is being used for something else, and deferring lets you batch revocation sweeps), it's just not on by default yet as it's a bit too experimental, but we're working to stabilise it more for our next CheriBSD release.

If I understand CHERI correctly it would be UAF + only intended pointer operations on pointers.

Yeah, you get in-bounds access to the allocation so sub-allocation attacks/cross field is in the play. It's kinda a pain in the ass to turn that into a useful exploit primitive though, and anyways UAF is much easier because (at least with classic allocators) you can corrupt any allocation type. Hardened allocators make exploitable overlaps much harder though and so in practice CHERI's spatial safety might be enough to kill tons of bugs.