You're misunderstanding what I've described. Only the JITting would occur in a separate process. The sandboxed app would give the JS code to the JITter daemon, then the JITted code would be mapped to the address space of the sandboxed app, where it would run just as if it was part of the native app binary. There's no marshalling other than sending JS code to the JIT daemon.
Yes I did misunderstand and that may work to get around the NX restriction being per process it would probably be a significant change to the JIT architecture in order for it to work out of process. This also would probably have security implications since it looks like old MS Edge did this for mitigation and Google found possible exploits: https://googleprojectzero.blogspot.com/2018/05/bypassing-mit...
