I just confirmed that Android uses a largely unmodified kernel, so in theory it should be possible to just implement whatever extra components make up the Android system. To your points:

- Sandboxing: Android accomplishes this by running each app in the context of a different UID.

- No root access: Like above, user-installable apps are given separate UIDs. The GUI and other system processes probably also get random UIDs. Probably very little of the Android system runs as UID 0. (However, I don't really believe that keeping the user from doing things as root is a valuable security feature, as long as the user is competent)

- Verified boot: There's nothing specific to Linux/Android about this, right? The bootloader handles checking the signature.

- Hardware-backed key store: Isn't this, as the name implies, "hardware"? So it should be OS-agnostic, right? Maybe Linux doesn't use it, and Android does, but someone just needs to write a driver for it (and maybe some bytecode implementation or whatever, if it's some secure enclave thing, which it seems to be).

- User profiles encrypted independently: I don't think the Linux kernel supports encrypting profiles, this is a userland feature of Android, and could therefore be ported to Linux.