It looks like in essence, instead of trapping straight to the kernel, you are restricting the untrusted renderer to trap to a supervisor, that can then validate and trap to the kernel.
Was there consideration of using x86 ring 1 or 2 for this purpose? Is that too architecture dependent?
Anyway... still an interesting idea. The syscall table looks refreshingly small. I noticed things like socket, connect aren't in there... I take it the network IO is still running in the trusted/main process?