But since you cannot escape a sub-hurd currently, it has limit use;
    one cannot run for example a web server inside a sub-hurd for security
    reasons, since you cannot send things outside of the sub-hurd (no
    access to the network).

Now we are getting at the real issues.  For most purposes, we would
need the sub-hurd to allow certain limited ways of writing data out of
the sub-hurd.

Would you like to work on implementing such facilities for sub-hurds?

    It just occured to me that another way to allow a sub-hurd to
    communicate outside of its enviroment is to run a server outside the
    enviroment, that listens and intercepts communication, and injects
    messages into the sub-hurd enviroment.

I do not really understand what that means.  Could you describe
it in more detail and more concretely?