Why do you want to do this, anyway? Linux already isolates processes' memory from each other. With cgroups you can ensure that resources are allocated fairly, and with chroot and namespaces you can ensure that they're securely isolated from each other. Why run a whole bunch of kernels on top of other kernels? It just adds inefficiency.
A couple ways to prevent X11 keylogging/screenshots/actions:
* If chrome/chromium are doing it right now, most parts of the browser should not be able to access X11 directly.
* X.org provides for two compartiments, trusted X (the default) and untrusted X (now used by ssh -X, also sux --untrusted). There are still a number of applications having issues with untrusted X (e.g. Skype doesn't work), also copy & paste don't normally work (for that you can use "xsel -o | ssh otheruser@localhost 'DISPLAY=:1 xsel -i'" or converse, bound to a key combination or panel widget), but it works well enough that I'm running Twinkle and xchat that way.
* let the apps go through VNC (Skype has issues with this, too, though, but then Skype doesn't run smoothly in a VM either (realtime audio issues))
Of course the kernel (and suid apps and apps with tempfile races etc.) are still offering a broader attack surface than a VM, so the above should be complemented with some good intrusion detection mechanism (to catch intrusions before they exploit root), for which I don't have a good suggestion.
