> It's hard to overstate how much of a benefit this is in terms of security for those on Linux.
I assumed you talked about "those on Linux", not "those on Linux who have non-negligible probability of being targeted by hostile nation-states".
It's often difficult to step back and re-evaluate initial claims, and we sometimes choose to use tactics like zooming in on improbable contexts to justify them. But I think it's healthy to face criticism that may snap us out of it, so I'm writing this comment. But it's late now, so I will not be able to follow up anymore.
We are talking about users of the Linux operating system. Many of them do know what a VM is. If they don't, or if they expect to be able to run untrusted programs willy nilly, then the benefit of Firefox doing this is, again, basically zero.
As I cannot reply to your reply, I will write the response here. By using Wayland, surely the direct benefit of this change to you is zero...
By the probability of this risk scenario (visit evil.com, be the victim of a successful RCE, with a particular method of privilege escalation that somehow gets all the right details to work) it sure looks to me like you overstated the expected benefit (negative loss).
I do concede that our utility functions may differ, if you actually believe it and not just inflating the importance of this issue.
Also I may have a bias in that I disable JavaScript by default, so the probability of such a risk is much lower. I tried to not make that assumption though, in judging the expected loss.
Since I cannot reply to your other comment, I will respond here. What proportion of Firefox-Linux users do you think are victims of such RCE attacks?