The underlying assumption of motivation for this discussion is that jailing (or whatever we want to call it) is somehow a good thing. Given that every CPU we care about comes with virtualization hardware, I just can't see the point of jails -- seems like an idea whose time has gone, kind of like 8086 segments.
If we give up on using RFNOMNT as a jailing mechanism, do the concerns really make any sense? ron