OP's definition is the same as yours, except instead of "user space" it's "a virtualized sandbox, but still running in ring 0".
What's the difference besides technicalities of the implementation? Everything else you are saying about using IPC interfaces and isolating the kernel code still applies in both cases.
What's the difference besides technicalities of the implementation? Everything else you are saying about using IPC interfaces and isolating the kernel code still applies in both cases.