A secure operating system running on an architecture that does not
supply a privileged mode might operate by providing a virtual machine
interface to the user program and checking each instruction as it is
run. That is, the user's program never gets to run on the "bare
hardware," because the OS must check each instruction and do one of
three things with it: run it as is, run it with some modification to
make it safe, or reject it.
This scheme works, but is extremely slow. If the idea is to build a
completely secure OS without a privileged mode and without checking
each instruction, then I don't think it can be done, because one of
those unchecked instructions may access memory or devices in a
damaging way.