I don't see how a lack of sandboxing would decrease your attack surface, since you need to communicate with the OS somehow. A sandbox just moderates that communication.
I also don't understand "If the project is sufficiently secure without multi-process, adding layers only increases the surface area". The point of layers is that each one needs to be breached in order to craft a full exploit. If one layer is sufficiently secure without multi-process then in the worst case your defense-in-depth is merely redundant, regardless of the attack surface of the remaining layers (though obviously "sufficiently secure" is fairly impossible to prove).
If there is a bug in the mechanism used to ferry messages between the two processes, as that mechanism lives in the kernel, only that one mechanism needs to be breached to attack the computer: sometimes, "layers" are more like a "chain", which are only as strong as the weakest "link". (However, that is much less likely than an issue in the native GUI components, or the apparently non-negligible amount of unsafe C/C++ and JIT'd code used by Servo.)
I also don't understand "If the project is sufficiently secure without multi-process, adding layers only increases the surface area". The point of layers is that each one needs to be breached in order to craft a full exploit. If one layer is sufficiently secure without multi-process then in the worst case your defense-in-depth is merely redundant, regardless of the attack surface of the remaining layers (though obviously "sufficiently secure" is fairly impossible to prove).