So in general this is kludge to implement app isolation via "VM", because existing CPU architectures suck at isolating code?