Good point about serving non-personal, non-confidential data - in this case, there's no benefit to the process-per-connection model, but there is still a benefit to isolating the private key. Unsure how you could easily separate out the login process from other pages on the site. I think you'd need to use separate hostnames/IP addresses and an SSO-like system.
Sure, but that's already a requirement for a lot of applications, and a lot more can be handled just by setting '.example.com' cookies if they don't have any untrusted subdomains.
Late edit: Ultimately this all comes down to a more general desire for better tools for segregating data and APIs into appropriate security domains. It's still way too much work, especially for small teams, to separate things into appropriate security domains with appropriate tradeoffs.
