gVisor's architecture is fascinating. Years ago I wrote an essay that was kind of a response to all the cracks about "systemd-kerneld" that have been made over the years. Written in character as "Fake Lennart Poettering", it proposed a strategy, using techniques inspired by NetBSD's rump kernel libraries, to turn systemd into a kernel, which would then load a Linux image and "pass through" all system calls to it except those systemd wanted to intercept. Which is kinda the opposite of what gVisor does!

Some guy on a German Linux forum thought my idea was an actual plan by the systemd team, and another poster had to correct him that the author was "FAKE Lennart Poettering", so the joke either didn't land or landed all too well, depending on your perspective...

well, jokes aside, what you're describing, is kind of what a "secure" (with many air/literal quotes) MCP/Agentic architecture looks like :D

In this context we're experimenting with gvisor on various platforms, and we're preparing a demo for kubecon about a fine-grained sandboxing approach for AI agent tasks spawned from a sandboxed agent.