So you're going to put GCC and full kernel headers on a ChromeOS netbook? And what about dynamic policies? For example, I want to create a sandbox and allow it to access '/home/myname/workarea'. How would you do it?
Using BPF to filter syscalls is a stroke of genius. BPF is already used in heavy-duty network filtering code (hey, do you think that iptables are slow?) and it has a simple JIT to work even faster.
Besides, in typical seccomp configurations you won't get a lot of syscalls.