This would require several generalizations; I'd like to see a non-root
   mount with the necessary restrictions (nosuid, noexec, whatever)
   (although from reading Bugtraq, I gather you have to be -real- careful.
    I'd suggest making sure the user owned the mount point, not just checking
    for r/w/no-suid access on it.) (nosuid because you don't want someone
   mounting over /tmp, for example - one case where it's not always obvious)

NetBSD-current already does this.

   Also, I'd like to see some kind of callback into user space (daemons?) to
   handle userland debugging of filesystems.  I know they'd be slower, but they'd
   be less like to crash your system (and easier to debug), and there really
   isn't any reason IMHO why a user can't access a file of hers as a fs hierarchy
   of her own design if she really wants to.  What do you people think?

You need to redesign lookup() a bit to do that, or you risk frequent
deadlocks.