What I think makes this especially interesting is that you can use this exception dispatch to build an interpreter. Think of it like a bytecode interpreter, where the codes are exceptions and the behaviors are the handlers. Because the faults are a function of the underlying code present in the module, it could even be used for early fingerprinting/binding to the intended target. You can make decoding a stage an absolute pain because it's dependent on the exact memory layout of the target process, which could itself have been manipulated by the attacker earlier as a kind of decoding key, causing replay attempts to fail and frustrating analysis.
And remember, an exception re-enters the handler, so you can even probe safely against unmapped pages.