Multitasking in RISC OS was based on swapping the page tables for the application part of the address space starting at 0x8000. Applications were not relocatable, so memory protection was more like a side effect of the address space layout than a deliberate security feature.
There was some memory protection to make pages read-only for user code, notably page zero (to trap null pointer dereferences, and to protect the interrupt vectors) but my memory is that the system heap (containing the OS modules) was either directly writable from userspace, or it was trivial to make a system call to get write access.
There was some memory protection to make pages read-only for user code, notably page zero (to trap null pointer dereferences, and to protect the interrupt vectors) but my memory is that the system heap (containing the OS modules) was either directly writable from userspace, or it was trivial to make a system call to get write access.