I sent to Python-Dev a design doc for restricted execution. So far no complaints, but it has not been the weekend yet when some people catch up with their email. Plus I know of at least one person who cares a lot about research who is formulating a response so I am not in the clear yet (although I don't know what the tone of the response is going to be).
I think the design is reasonable from the viewpoint of having separate interpreters. Could go pure capabilities and have everything in a single interpreter instead of multiple ones, but I don't know if I want to hack into the internals that heavily to make this work.