Providing quality of service for secure workspaces having copy-on-write layers

What is claimed: 1. A method, implemented by a priority filter, for providing quality of service for secure workspaces having copy-on-write layers, the method comprising: loading the priority filter in an I/O subsystem above an isolation filter such that I/O requests passed down the I/O subsystem are received by the priority filter before the isolation filter, wherein the isolation filter is configured to enforce a quota that is defined for a portion of physical storage resources that are allocated to one or more copy-on-write layers corresponding to one or more secure workspaces; receiving, at the priority filter, a first write that targets a first copy-on-write layer of the one or more copy-on-write layers, the first write originating from the one or more workspaces; determining that the first write targets the first copy-on-write layer and is associated with a first priority; based on the determination that the first write targets the first copy-on-write layer and is associated with the first priority, allowing the first write to be serviced immediately by the isolation filter; receiving a second write that targets a second copy-on-write layer of the one or more copy-on-write layers, the second write originating from the one or more workspaces; determining that the second write targets the second copy-on-write layer and is associated with a second priority; and based on the determination that the second write targets the second copy-on-write layer and is associated with the second priority, preventing the second write from being serviced immediately by the isolation filter. 2. The method of claim 1 , wherein the first priority is a high priority and the second priority is a lower priority. 3. The method of claim 1 , wherein the first copy-on-write layer and the second copy-on-write layer are the same copy-on-write layer. 4. The method of claim 1 , wherein the first copy-on-write layer and the second copy-on-write layer are different copy-on-write layers. 5. The method of claim 1 , wherein preventing the second write from being serviced immediately by the isolation filter comprises storing the second write in a queue. 6. The method of claim 5 , wherein the queue is segmented. 7. The method of claim 1 , wherein the first write originates from a first secure workspace of the one or more secure workspaces and the second write originates from a second secure workspace of the one or more secure workspaces. 8. The method of claim 1 , further comprising: allowing the second write to be serviced by the isolation filter after the first write is serviced by the isolation filter. 9. The method of claim 7 , wherein the first write is determined to be associated with the first priority based on determining that the first write originated from the first secure workspace. 10. The method of claim 1 , wherein determining that the first write is associated with the first priority comprises determining that the first write originated from a first application. 11. The method of claim 1 , wherein determining that the first write is associated with the first priority comprises accessing one or more hints associated with the first write. 12. The method of claim 1 , wherein preventing the second write from being serviced immediately comprises limiting a bandwidth of a source of the second write. 13. The method of claim 1 , wherein preventing the second write from being serviced immediately comprises limiting a number of writes that a source of the second write can make during a period of time. 14. The method of claim 1 , wherein determining that the first write is associated with the first priority comprises accessing priority configurations. 15. One or more computer storage media storing computer executable instructions which when executed implement a priority filter that is configured to perform a method for providing quality of service for secure workspaces having copy-on-write layers, the method comprising: loading the priority filter in an I/O subsystem above an isolation filter such that I/O requests passed down the I/O subsystem are received by the priority filter before the isolation filter, wherein the isolation filter is configured to enforce a quota that is defined for a portion of physical storage resources that are allocated to one or more copy-on-write layers corresponding to one or more secure workspaces; receiving, at the priority filter, a first write that targets a first copy-on-write layer of the one or more copy-on-write layers, the first write originating from the one or more workspaces; determining that the first write targets the first copy-on-write layer and is associated with a first priority; based on the determination that the first write targets the first copy-on-write layer and is associated with the first priority, allowing the first write to be serviced immediately by the isolation filter; receiving a second write that targets a second copy-on-write layer of the one or more copy-on-write layers, the second write originating from the one or more workspaces; determining that the second write targets the second copy-on-write layer and is associated with a second priority; and based on the determination that the second write targets the second copy-on-write layer and is associated with the second priority, preventing the second write from being serviced immediately by the isolation filter. 16. The computer storage media of claim 15 , wherein the method further comprises: receiving priority configurations that define a priority of one or both of: secure workspaces; or applications; and wherein the priority filter uses the priority configurations to determine the first and second priorities. 17. The computer storage media of claim 15 , wherein preventing the write from being serviced immediately by the isolation filter comprises causing the write to be serviced after a period of time has elapsed. 18. The computer storage media of claim 15 , wherein preventing the write from being serviced immediately by the isolation filter comprises failing the write. 19. A system comprising: a management server; and one or more user computing devices, each user computing device including a host agent that receives priority configurations from the management server, each user computing device also including a priority filter that is configured to perform a method for providing quality of service for secure workspaces having copy-on-write layers, the method comprising: loading the priority filter in an I/O subsystem above an isolation filter such that I/O requests passed down the I/O subsystem are received by the priority filter before the isolation filter, wherein the isolation filter is configured to enforce a quota that is defined for a portion of physical storage resources that are allocated to one or more copy-on-write layers corresponding to one or more secure workspaces; receiving, at the priority filter, a first write that targets a first copy-on-write layer of the one or more copy-on-write layers, the first write originating from the one or more workspaces: determining that the first write targets the first copy-on-write layer and is associated with a first priority, wherein the first priority is determined based on the priority configurations: based on the determination that the first write targets the first copy-on-write layer and is associated with the first priority, allowing the first write to be serviced immediately: receiving a second write that targets a second copy-on-write layer of the one or more copy-on-w