A sandbox mode for the kernel

This doesn't pass the smell test. Set up a pair of memfds for your ROM/RAM, pass them to a userspace helper running in seccomp mode 1. The tools are already there and they don't have an arbitrary x86-64 constraint besides. Am I missing anything?