I've been wondering if something like this could be done, but using actual syscalls - tagging processes as Linux or Darwin and dispatching syscalls differently, as with Linux personalities or (AIUI) Solaris branded zones - instead of with a hypervisor. I think you could do this with a kernel module that hooked the syscall entry point, assuming SIP lets you do such a thing. I'm surprised they used a VMM, but I guess it's not that hard to implement via Hypervisor.framework.
Maybe there's no significant overhead to a VMM if it's hardware-accelerated?
With SIP enabled you are still free to load arbitrary “signed with an Apple-approved signature” kernel extensions, so I don’t see why your technique wouldn’t be possible. You’re natively executing most of the code and intercepting syscalls either way, so I doubt there would be much of a difference in performance. I haven’t done anything serious with noah but it’s been relatively performant.
Maybe there's no significant overhead to a VMM if it's hardware-accelerated?