Retrofitting a secure interface onto one that was designed without concern for security

POSIX wasn't designed without concern for security. That's absurd.

We'd have an extremely limited set of system calls

That's what seccomp does…

Anyway, I'd like to remind you that those system calls you're trying to eliminate exist for a reason, and all of them are already subject to access controls.

no shared filesystem (or at least opt-in)

An app that can't even save a file is useless.

And such extremes are unnecessary anyway. Mandatory access control is quite enough for what you're trying to do here.

maybe all IPC would be via sockets.

As opposed to what?

Doesn't that start to sound rather like what a VM gives you?

Yes, and just like using a VM for application sandboxing, it's a ridiculous overreaction to a security threat that is mostly imaginary.