Actually, if Maemo5 (or Meego will) would support SELinux, pretty secure system could be done much more easily and without having (slowish and battery consuming) multiple TrueCrypted virtual disks.

The above TrueCrypt based sandboxing would be like recreating SELinux again but with little different features and by different methods.

If the root-user can decrypt every virtual disk anyway through the applock-password-manager, then just having everything else but /boot in one single crypted volume and having enforced SELinux policy would be better system, because SELinux has extra features.

To port SELinux to maemo5 is doable and would benefit in many other use cases.

Then one could just give and drop priviledges as a root user in xterminal (or in SELinux Policy GUI) before one gives a phone to a neighbour.