Erm, okay, you're talking about something completely different...
The problem is that 'If you instead had a wire to the machine in the room, you could monitor the transactions over the wire. You could ensure a non turing complete language is used in the wire protocol. You can deny humans access. You can apply defense in depth to a wire. No so much to a room full of humans.' you can do _on an air-gapped machine_.
What you have just proposed doing is to put the UI of the secure machine outside the secure machine, and locking down interactions between it and the secure machine...which is fine, but there's no reason you can't put that UI _inside the air gap_. And in fact that makes much more sense.
You, uh, just need two of them in the room. One that people can physically access, and one, locked behind bars, that they cannot, connected via a wire, with an air-gap between that system and the outside world.
This is a bit of an overkill, though. If you are worried about the people who access the air-gapped computer being a weak link, in actuality you _build the UI with security_ (Just like your hypothetical wire protocol, but much easier.) and then don't let them physically access the CPU or disks. (I recommend a external CD-RW drive.)
And you 'analyze' what they do by simply recording the screen and keyboard. Which you can do by either unidirectional wiring or by literally recording it with a camera. Or having watchers.
Or, alternately, if you want, you can do it like I said and just put a UI computer in the air-gap room also. You can even render the UI computer fairly difficult to hijack by building it solely out of read-only storage. It would be the perfect place for some sort of dumb terminal that is just running a web browser connected to the actual secure machine, which is locked up inside a box inside the air-gap and none of the users can get to it.