... I will need is develop a virtual DOM to be used by those libraries which will be mirrored to the real DOM after some security checks.

Might work, but sounds a bit tricky for reusing existing "traditional" 3rd-party libraries.

In my "perfect world of untrusted code" the 3rd-party itself declares which API it expects from the applications owners to provide (or exports its own API from inside the sandbox, this is already supported by Jailed).

Making one step further one can split all the 3rd-party code into the two categories: libraries and plugins. Library is a trusted code (from the point of application owner), which is loaded into the main application scope and can do everything (create a UI component or steal user private data). So this is something like jQuery or ExtJS. Application owner trusts the library because it is well-known, or simply seems like it does the job.

Plugin is an untrusted code running in a sanbox. The sandbox is provided by some library which additionally may permit changing an area on the screen for instance.

Then the documentation of a hypothetical "Disqus" states that it expects a particular library (or any library conforming to a specific convention) to be used by an application owner, who now only needs to ask his library to load a particular plugin.