I think pervasive process/app sandboxing – or at the very least proactively and aggressing limiting process capabilites a la OpenBSD pledge and unveil – is a key development as well that's over the horizon as well.

(What's old is new again with virtualization: IBM took that approach to make time-sharing happen with CP/CMS on System/360 – then VM/370, then z/VM...)