One of the goals of the Keykos kernel design was to make it possible to remove function from privileged kernel and implement it in code that ran with only the specific authority needed for its job. This was largely achieved. Here are some useful patterns, however, that are available to kernel code but not domain code.
Kernel code can perform operations triggered by swapping out pages or nodes. The operations I have in mind are building and tear down of data structures supporting efficient operation. The kernel can avoid extra I/O by synchronizing with I/O. The kernel uses this pattern several times over to avoid chains of disk addresses that would require many sequential disk accesses. Sometimes the same algorithm in domain code may requires those accesses. For instance the chains that connect members of meter trees are dismantled when a node of the tree is swapped out. There is no place to put domain code so that it runs upon swapping something out. This would violate the carefully crafted illusion that there is no difference between RAM and disk. It is usually good that domain code need not worry about the difference between RAM and disk but it can interfere with good design.
This pattern gives the Keykos kernel an advantage of some plans to run a fairly traditional OS, such as Unix, in a demand paged virtual memory. Algorithms designed with RAM access times in mind suffer disk access times.
As an example the stall queues never have stale domains on them. As soon as the comprised nodes are sold back to the bank, and thus severed, the space on the queue is promptly and efficiently reclaimed. By contrast the meter keeper that conscientiously stores resume keys to domains that it has blocked is susceptible that most of the storage that it uses to do this, such as a chain of nodes, is empty.
The bank keeper is invoked when an official bank discovers a zero limit. It does not have the ability to pretend that the invoker had not really asked for the blocked service, as does the kernel implementation of segments and meters. The ideas suggested here may provide this function to domain code.