That is how I would design it. It is common in safety critical PLC systems to have 1 or more separate safety PLCs that try to prevent bad things from happening.

Although in a SIL safety system the dangerous events are identified and extremely thoroughly characterized as part of system design.

There cannot be a safety system of this type for a generalist platform like a humanoid robot. It's possibility space is just too high.

I think the safety governor in this case would have to be a neural network that is at least as complex as the robots network, if not more so.

Which begs the question: what system checks that one for safety?