If you think about the fundamentals involved here, what you actually need is for the OS to refuse to implement any syscalls, and not share an address space.

A process is already a hermetically sealed sandbox. Running untrusted code in a process is safe. But then the kernel comes along and pokes holes in your sandbox without your permission.

On Linux you should be able to turn off the holes by using seccomp.