Flexible policy arbitration control suite

The invention claimed is: 1. A computing device for use with multiple user-level execution environments wherein the environments are isolated from one another to simultaneously protect personal privacy and enterprise security while enabling data sharing, the computing device comprising: one or more hardware processors; and one or more machine accessible storage media having embodied therein a policy arbitration system and a plurality of independently executable domains executable by the one or more processors, wherein: the policy arbitration system is executable to manage access to one or more shared system resources by the plurality of independently executable domains; each of the plurality of independently executable domains having domain-specific policies including use purpose contexts that are unknown to the other independently executable domains, wherein the use purpose contexts are indicative of a personal or non-personal use, wherein a personal use context pertains to at least one domain in which there is a higher need to share information than a domain having a non-personal use context, and wherein the non-personal use context pertains to at least one domain in which there is a higher need to protect information than a domain having the personal use context domain; and the policy arbitration system is executable to determine and enforce, autonomously, dynamically in response to an event trigger, a least restrictive combination of the domain-specific policies that enables the plurality of independently executable domains to execute on the computing device for a use purpose context of one of the independently executable domains without violating the domain-specific policies of any other ones of the plurality of independently executable domains, wherein the determination of the least restrictive combination of domain-specific policies includes analyzing candidate policy implementations associated with the plurality of domains and executable to effectuate defined purposes of the domains, wherein the defined purpose specifies the permitted use purpose context of one or more shared system resources of the computing device, and selecting a least restrictive candidate policy implementation that does not conflict with any of the defined purposes of the domains. 2. The computing device of claim 1 , wherein the policy arbitration system is executable independently of any operating system of the computing device and independently of the plurality of domains. 3. The computing device of claim 1 , wherein each of the domain specific policies includes a defined purpose and an anti-purpose, wherein the purpose identifies a desired functionality of the computing device for a domain of the plurality of independently executable domains, and the anti-purpose defines an undesired functionality of the computing device resulting from the functionality of the purpose. 4. The computing device of claim 1 , wherein each of the plurality of domains is memory-isolated from the other domains and from the policy arbitration system. 5. The computing device of claim 1 , wherein the one or more machine accessible storage media comprises a trusted protected memory and the policy arbitration system resides in the trusted protected memory. 6. The computing device of claim 1 , wherein the computing device comprises a mobile device having a virtualized system architecture enabling the policy arbitration system. 7. The computing device of claim 1 , wherein the plurality of domains communicate with the policy arbitration system and with the one or more shared system resources only through well-defined, secure communication channels. 8. A method for controlling access to one or more shared system resources of a computing device by a plurality of peer domains each having a defined use purpose context that is unknown to the other domains, each of the domains executable independently of the other domains and to request access to the one or more shared system resources, the method comprising, with the computing device: maintaining, independently of the domains, a set of domain-specific policies governing operation of the computing device, the set of domain-specific policies comprising, for each of the domains, at least one policy implementation that effectuates the defined use context purpose of the domain without conflicting with the defined use purpose context of any of the other domains on the computing device; in autonomous response to an event trigger, executing at least one of the policy implementations implicated by the event trigger, wherein the use purpose context is indicative of a personal or non-personal use, wherein a personal use context pertains to at least one domain in which there is a higher need to share information than a domain having a non-personal use context, and wherein the non-personal use context pertains to at least one domain in which there is a higher need to protect information than a domain having the personal use context domain; and for each of the domains, selecting a least restrictive policy implementation from a plurality of candidate policy implementations, wherein the least restrictive policy implementation effectuates the defined purpose of the domain in a least restrictive way without conflicting with the defined purpose of any of the other domains on the computing device, and executing the selected policy implementation in response to the event trigger, wherein a policy arbitration system is executable to determine and enforce the least-restrictive combination of the domain-specific policies dynamically in response to an event trigger. 9. The method of claim 8 , comprising associating a value with each of the candidate policy implementations and determining the least restrictive policy implementation based on the value. 10. The method of claim 8 , comprising generating the set of domain-specific policies from one or more conversational natural language statements of the defined purpose for each of the domains. 11. The method of claim 10 , comprising, for each domain, creating a policy artifact, wherein the policy artifact comprises a machine-readable semantic representation of the one or more conversational natural language statements of the defined purpose of the domain. 12. The method of claim 11 , comprising comparing the policy artifact of each domain to the policy artifact of each of the other domains and determining if any of the policy artifacts conflict. 13. The method of claim 11 , wherein, for each domain, the policy artifact comprises a set of candidate policy implementations, wherein each of the candidate policy implementations effectuates the purpose of the domain in a different manner. 14. The method of claim 13 , comprising associating an event trigger with each of the candidate policy implementations. 15. The method of claim 14 , wherein each of the candidate policy implementations specifies an action to be taken by the computing device with regard to one or more of the shared system resources in response to the associated trigger event. 16. A policy arbitration system for a computing device for use with multiple user-level execution environments wherein the environments are isolated from one another to simultaneously protect personal privacy and enterprise security while enabling data sharing, wherein the computing device is configured with a plurality of domains that are independently executable on the computing device to request access to one or more shared system resources of the computing device, the policy arbitration system comprising: one or more processors; and a non-transitor