Regarding S/370 (now z/OS) memory allocation, this statement, "Of course, all that means that your corewalker just has to avoid the first byte and it's safe but the principle can be extended"
The part of memory that shows who "owns" it is not addressable by user programs, but by the OS. You don't get to skip it.
Depending on the implementation, though, that is not necessarily bulletproof. If the memory is owned by the service provider, such as the SSL task, rather than the requestor, there is no restriction.
The mainframe OS has other mechanisms to avoid this sort of problem, some based on architecture, some based on the security software (which is forced through certain hoops BY the architecture.)
Not fool-proof, certainly, but it makes this sort of vulnerability exceedingly rare.