The ARM and RISC-V cores supported by RIOT have an execution mode where access to critical core control registers such as the memory protection settings is not allowed. ARM calls this unprivileged mode, RISC-V has the similar user mode.
Both implementation offer strong security restrictions by heavily restricting the access to the core registers. For example, on ARM, the access to the system control block and the system registers is reduced. On RISC-V all machine mode CSRs are inaccessible.
In practice this would mean that a RIOT thread can be isolated to not directly modify the scheduler behavior except for voluntary yielding. The MPU/PMP memory protection mechanisms can be used (and cannot be modified by the thread in unprivileged mode) to isolated critical parts of the memory such as sensitive data or allow access to specific peripherals. The scheduler can adjust the protected regions during thread rescheduling.
A small syscall-like interface could be provided for these threads when elevated permissions are required for modifying core settings, such as enabling a specific peripheral interrupt.
One of the challenges with this is that unprivileged/user mode is not allowed to mask interrupts, something that is quite heavily used throughout RIOT to guarantee atomic access to objects.