I hadn't thought in detail about it, but my thinking was that ultimately we'd want to make a PluginPlaceholder for NaCl. Similar to how we do missing or disabled plugins:
https://code.google.com/p/chromium/codesearch#chromium/src/components/plugins/renderer/loadable_plugin_placeholder.h&rcl=1424206797&l=16
The NaCl one could do all the necessary resource fetching, etc, and never invoke any Pepper stuff until the untrusted module is ready to be initialized. This would get rid of a bunch of the "SwitchToOutOfProcessProxy" complexity.
I haven't thought hard about where this lives and how we "hook" plugin loading to determine if something needs the NaClPluginPlaceholder.
We also need to make sure we still show support for the NaCl MIME types, even after the NaCl plugin is gone.
(I.e. "navigator.mimeTypes['application/x-nacl']')