Re: CrAPI
The only obvious ways on modern hardware would be to hide everything behind interprocess communication (with its inefficiency) or put the entire implementation in the kernel (insecure, panic-prone, and also often slower due to frequent kernel mode switching).
Long, long ago there was an architecture called the VAX which had 4 rings: kernel, executive, supervisor and user. The kernel had the, well, kernel. Executive mode had the filesystem: you could only call to nominated entry points via a trap, and if it crashed, it couldn't take the kernel with it. Supervisor mode had the command shell, and finally user mode the actual application.
Early Intel x86 had 4 rings too, but no-one used them so I think Intel relegated the unused 2 to an inefficient stub implementation, and have I think now deprecated or already removed them (while adding negative numbered rings for hypervisors). In any case, modern operating systems don't use them.
Now I hear you say that at least the linker symbols should have somehow been obfuscated or removed. But experience shows that even if you do that someone will figure it out and call it anyway. I recall on the aforementioned VAX/VMS systems there was a very popular third-party utility which "knew" the addresses of certain structures in the file system, and needed to be installed CMEXEC (i.e. define its *own* traps to ring 1). Of course, the operating system vendor got blamed when it broke on an operating system major version update when the magic addresses they were using changed.
I think the Electron people had it coming.