Yeah, with Qubes that's exactly what they do. I forget what the software is called, but they use an X11 proxy that tries to enforce policy.

That said though, that does require you to proactively run every X application with this sandboxing. For Qubes which forces everything into VMs this is doable, but for most other systems there isn't an obvious way to handle this sort of thing.

My only major complaint about Wayland that can't just be fixed relatively easily is Mutter refusing to support SSD. (Well, the actual technical problem could be fixed relatively easily, but the social one not so much.)

▲

fpoling 5 days ago | parent [-]

Firejail uses nested X11 servers like xeohyr or xrdp to restrict application access to the primary X11.

	▲	jchw 5 days ago \| parent [-]
		Hmm, I thought it was Xephyr but I was wrong. It looks like Qubes actually does something even more involved: https://doc.qubes-os.org/en/latest/developer/system/gui.html This makes sense though, given the way clipboard works in Qubes. I think I must've entirely mistaken how Qubes works for an entirely different scheme.