> Given that threads share an address space, can't the render thread trivially overwrite the call stack of another thread to run attacker-selected functions and parameters?

Yes.

The fact these Linux APIs are per-thread is an artifact of how Linux implements threads, and certainly not a security feature. From a security standpoint, this behavior is more an anti-feature--it's too easy for someone to naively believe they've dropped ambient privileges, unaware that a thread context in the process (a normal process thread, or possibly a io_uring thread or the io_uring context itself) could still possess elevated privileges.

There’s also thread local storage though I don’t know wether the stack sits on it.

Thread-local storage is no less visible to other threads, it's merely a little less convenient to access--you need to figure out the address(es) the same as you would for most any other link in an RCE exploit chain.