Yes; I'm not too familiar with Windows but I know there's no syscall-by-syscall lockdown. However, they were able to disable all Win32k syscalls starting in Windows 8, which is a significant attack surface reduction compared to the past:

https://www.chromium.org/developers/design-documents/sandbox...: