@lanodan @condret Well, the thing is that if instead the architecture was say... microkernels, then secure formally verified implementations of relevant servers could be kept in dom0 or just in their own address space, and *exclusively* what the isolated module actually uses would be using up memory. None of the rampant duplication I've got going right now.

(Ballooning is not to be trusted for a number of reasons related to memory safety and arbitrary access, so I don't use it, which also means a larger memory footprint for VMs since I have to ensure they have enough memory to do the job.)

Add a different program model based on capabilities and language-based security (memory safety & no raw memory access means that static allocation is no longer necessary, shrinking memory requirements as low as they can go) and you can *safely* deduplicate further still.

But all of that is very labor-intensive and would imply writing an entirely new OS/system from scratch, which QubesOS doesn't do.