It is already trivial. The offset of securelevel references in code of
functions a module can access is near enough a constant
> Not allowing module loads is reasonable, actually. That does NOT change the
> fact that no module should access "securelevel", which is the original problem.
Yes. Allowing module loads has to be blocked by securelevel