Another solution strategy is "take it out to the next level and solve the problem in the wider context"
Microkernel OSs "send messages" to implement device drivers in user mode. So a crashing driver (think debug!) does not trash the kernel.
Work has been done to allow _multiple OSs_ to share a window system.
https://genode-labs.com/publications/nitpicker-secure-gui-2005.pdf
With the proper support, having the rendering "driver" as a separate process which gets drawing messages from Morphic objects could be an interesting project.
Making it "fast enough" is something the microkernel folks have been working on for some time..
$0.02, -KenD