The interface between DE and OS should have whitelisting, that is, a complete list of accepted commands (words of subprograms) should be made and all communication between OS and DE should have nothing except those keywords.
As Joanna Rutkowska says, TCB has to be minimum. If I recollect it right, future Qubes is going to have virtual compartment for graphics replacing old extremely unsecure monolithic system.
All of today's DE's are horrible with animated videos, javascript and what not. Once GNOME becomes trusted, one can have multiple themes and not worry about unsecure usage.