Yes, this, exactly. In our current operating systems models, the process is the most granular resource that we can confine. The OS model doesn't allow for more fine-grained resource control than that, so code with different authorization scopes should run in different processes.

Maybe we need a different OS/process model?

The fuchsia os has a very interesting security model in this respect : https://fuchsia.dev/fuchsia-src/concepts/principles/secure

The tldr being a very powerful and lightweight sandboxing mechanism complemented with a OS mediated ipc layer wrapped by language idiomatic libraries.

Unfortunately fuchsia is taking it's own sweet time to play out.