According to the MSDN, in .NET 4.0 basically you should not use ISerializable for partially trusted code, and instead you should use ISafeSerializationData
Quoting from https://learn.microsoft.com/en-us/dotnet/standard/serialization/custom-serialization
Important
In versions previous to .NET Framework 4.0, serialization of custom user data in a partially trusted assembly was accomplished using the GetObjectData. Starting with version 4.0, that method is marked with the SecurityCriticalAttribute attribute which prevents execution in partially trusted assemblies. To work around this condition, implement the ISafeSerializationData interface.
So probably not what you wanted to hear if you need it, but I don’t think there’s any way around it while keeping using ISerializable (other than going back to Level1 security, which you said you don’t want to).
PS: the ISafeSerializationData docs state that it is just for exceptions, but it doesn’t seem all that specific, you may want to give it a shot… I basically can’t test it with your sample code (other than removing ISerializable works, but you knew that already)… you’ll have to see if ISafeSerializationData suits you enough.
PS2: the SecurityCritical attribute doesn’t work because it’s ignored when the assembly is loaded in partial trust mode (on Level2 security). You can see it on your sample code, if you debug the target variable in ExecuteUntrustedCode right before invoking it, it’ll have IsSecurityTransparent to true and IsSecurityCritical to false even if you mark the method with the SecurityCritical attribute)