To give a list of these PL-level separation mechanisms, and their languages, these are the kernels I know of that work in this fashion.
Spin OS (Modula-3), Singularity (Sing#), Midori (M#), TockOS (safe rust).
As far as I know TockOS is the only one I know of which has some form of both PL-level and hardware enforcement of separation, albeit on an MPU rather than a full MMU, PL-level for kernel modules, and an MPU protected userspace.
I at least think it is worth addressing that none of these separation mechanisms are actually mutually exclusive.
Spin OS (Modula-3), Singularity (Sing#), Midori (M#), TockOS (safe rust).
As far as I know TockOS is the only one I know of which has some form of both PL-level and hardware enforcement of separation, albeit on an MPU rather than a full MMU, PL-level for kernel modules, and an MPU protected userspace.
I at least think it is worth addressing that none of these separation mechanisms are actually mutually exclusive.