AFAIK the security limits are intentional and when they add new NaCl APIs they will have the same restrictions as the equivalent JS version of the API. NaClets that run within an "app" instead of a "page" may be able to bypass some restrictions, though.