This has been stated around the web a lot lately...
Why so sudden a concern?
In actuality, it is a bit of a Trojan Horse. As a claim, that is.
The security stance is that X11 allows access in Root Processed systems to the display, whereas Wayland only allows access to the display for that app which is accessing it.
As you can see:
- That doesn't make any difference. If any app has access to the display, whether it is one at a time or all at once makes Zero Difference to whether or not the Display is accessed. The claim of an exploitable access point is equally valid either way, therefor Wayland must, by default, be as insecure as they claim X11 is. Having Wayland run the app in a container makes no difference to the display being accessed.
- This claim is based on the idea that a Root processed application would have access: this means that the user must authorize that application. It must get past Linitan, Launchpad and the users Sudo Authorization, then gain access to display. Some perspective - almost every app you install must gain access to display... You want to see its GUI output, don't you? The only way to plug this hole is by running a headless server. Wayland does nothing to fix that and it cannot.
- The above narrows this down to the security threat needing direct local (not remote) access to the computer. Unless your roommate is a hacker...
These claims start looking like a whole lot of hot air.