It's relatively easy to get those features if you don't mind breaking all backwards compatibility. Which is what Android did.
It gives each separate process it's own UID, but has them all using a common display server. Then you combine the way that almost everything has to be done through the android framework with some special kernel patches. For instance, /etc is normally used for settings files, but that means special things have to be done if you want to mount root as read only. Especially since some of those files, like resolv.conf, must be updated while running.
Most good daemons already run as their own user/group. Android has just moved that from the application to the framework/installer.
On another note, I don't want things to be complicated to the end user. I just want to be able to easily have a read only root partition, and know that it and my kernel hasn't been tampered with evil maid style. I could go with encryption, but that no only eats some CPU, but it destroys DMA. Secure boot makes sure the kernel's ok, and simple file hashing makes sure they haven't been tampered with.