This is a philosophical note about capabilities.
Keykos was mainly designed to limit impact of code that did not behave as expected.
Expected by whom?—Expected by the system integrator.

Indeed a critical system component in Keykos would rely on only that component’s TCB (Trusted Computing Base) even when such a critical system called and was called by buggy, even malicious elements in the system.
That TCB could be quite small in some real applications amounting to only about a megabyte of code, the CPU and a few I/O devices.
The focus was not on coding errors, the focus assumed that all code behaved as designed, especially code designed by the malicious programmer.
We were concerned with design errors, not coding errors.
We were also concerned with malicious programs that worked as designed.

The tools for connecting software modules together impacted design patterns much as do some modern programming languages.
We extended this sort of protection to systems composed of programs written in many languages, even machine language.