Comment by btrask

A sandbox like NaCl doesn't depend on the kernel for security. In fact, it shields the kernel, which is good, because common OS kernels tend to have large attack surfaces of their own. The compiler of the sandbox needs to be reliable (so like CompCert, until Rust matures in this regard), but the compiler(s) of the software inside the sandbox don't matter.

You're right that stuffing all of Chromium into a single sandbox would not be very good, because pages would be able to attack the browser (history, passwords, etc) and each other. You'd want to run each renderer in its own sandbox (which to some extent Chrome already does).