> [2] in another thread, pledge("stdio rpath wpath"), and returns.
>    the process is now pledged.

How can this be allowed?

I am pretty sure sys_pledge should single-thread the process, which
means it will wait until other threads complete their in-kernel sleeps.

Obviously not all pledge-variable checks occur before the first
in-kernel sleep of other system calls.