There is no kernel IPC path. A cross-domain call is three instructions: call into an entry page, bt to test a domain ID against an authorization bitmap, jmp into the business logic. No privilege switch occurs. No kernel code runs during communication. Parameters travel in registers or shared memory.
A caller cannot name the address of business logic because no mapping exists in its page tables. The MMU hardware will not produce that address. This invariant holds regardless of what code the attacker executes.
The same guarantees hold without an MMU. On an 8086, segment descriptors replace page tables. The caller's LDT contains no descriptor for the business logic segment. Hardware refuses the far jump.
The architecture is documented in full. The critical instruction sequences are in the repository. You can count the cycles yourself.