Consider a machine largely devoted to operating bank ATMs. It is critical that the service be continuous. A new related complex application comes along to detect probable fraud in patterns of card usage. The second application must run in the same machine for its input naturally resides there and to export it would require more resources than to run the fraud application at the original site of the data. Clearly the second application is less essential for the ATM system ran long before the fraud application was invented.
Being complex and newer the fraud pattern application has bugs, one of which causes the kernel to allocate unbounded resources to it, perhaps pipes. Soon the kernel refuses the modest demands of the ATM application and service ceases. The system has failed.
If all storage were accounted for, as in Keykos, the fraud pattern application would have encountered its limit and failed while ATM service continued. This does require that system management make resource estimates for the critical ATM application and reserve those, with a safety margin, for that application. In Keykos there are two such internal resources, space and time. Space banks provide a means for reserved space and meters provide means to assure fixed performance despite demands of programs of lesser priority.
The system reliability that results from this may well be worth some extra performance cost in the isolation between application components provided by the Keykos kernel.