>namespaces (which have been a frequent source of vulnerabilities)...
Unprivileged user namespaces sure, but I don't think that applies to namespaces in general (which without unprivileged user namespaces can only be created by root, and LPE is the concern with unprivileged userns due to increased attack surface). systemd doesn't need unprivileged userns to run.
Services may be in a different mount namespace from systemd for sandboxing or other reasons (also means you have to worry about filesystem permissions I suppose). Passing an fd from the parent (systemd) is a nice direct channel between the processes
>Honest question: why does this matter? If you end up with running malware as your user haven't you already "lost" in any of a wide variety of ways that Wayland does nothing against?
The security benefits of wayland are useful when you're also using other things like namespaces/seccomp (with bubblewrap/flatpak), and pipewire which I believe has a similar access control mechanism.
>Or is it that Wayland is trying to bring the mobile security model to the desktop with partially untrusted apps?
I trust my programs, but they can have bugs when parsing untrusted content. (ffmpeg, browsers). Although I've never been hacked, I'd like my systems to have defenses against this (without going full mobile security mode and giving up functionality and user freedom, or running everything in inconvenient isolated boxes with VMs).
Also, I'm not sure if I'd trust proprietary games, so preventing them from doing naive things (I don't expect them to exploit kernel vulns) like snooping on files by using namespaces is nice.
For good, functionality-related reasons at the time[0], and everyone in the Wayland space had been using the mesa library except nvidia with their own proprietary libgl.
Unprivileged user namespaces sure, but I don't think that applies to namespaces in general (which without unprivileged user namespaces can only be created by root, and LPE is the concern with unprivileged userns due to increased attack surface). systemd doesn't need unprivileged userns to run.