I don't know much about the security system, and I can't imagine there's any decent amount of docs on it. I _believe_ it's made up of basically two parts: One is a set of security bits that can be set to block access to the OS (filesystem, sockets, and so on) in the C level glue, and the other is a system to block function calls between different zones. The latter is much like the lock spaces in my proposal, so I guess that part would probably be best reimplemented using special kinds of lock space locks in the future.
On the other hand, most of what I would need (or even: most of what can be done with the security system) can be achieved by using a CompilationHandler and a little getting-your-hands-dirty-effort, at least that's what I suspect and so it is probably not a too big loss.
Yes, I think that's a workable alternative, although in that case you'd be doing a lot of the work (lots of function wrappers etc) that the security system would be doing for you otherwise.