Ugh, they cannot fix it because this is not something that wayland can fix at all.
Look, if you have user access to the account, you can get its data. Even if you somehow make Wayland 100% secure, you can still replace “firefox” shortcut with malicious version which also steals all your passwords. No windowing aystem involved at all.
The X11 protocol allows any client connected to the server to become a keylogger or insert input events. So, even a X11 client trapped in a sandbox or another user account has full access.
The X11 protocol doesn't enable this, even if the most widely used X11 implementation does. An implementation could isolate clients by dropping events and returning blank rectangles for GetImage calls.
IMO the main problem there is that the UX around dropping events and returning blank rectangles is bad. We have the tools to design other protocols centered around a real security architecture that can communicate intent properly and doesn't need to return fake data.
It's probably a better idea to throw BadWindow or BadDrawable when an untrusted client queries about windows or pixmaps it doesn't own.
As for dropping events... the idea is to isolate clients, such that it's as if X resources not owned by the client do not exist to the client. If the UX of the client depends on violations of that rule, then it's either a program like a window manager that should go on a trusted whitelist, or it's up to something nasty.
Note that Firejail does this by using Xpra as a proxy to the real X server.
IMO, X11 is practically unusable without NX/Xpra, but it has other UX issues and it still doesn't do exactly what you'd want. Throwing a protocol error is also bad UX. There's no way to present that to the user other than saying "hey this didn't work, go fix it in some other system-dependent place that I may or may not know about."
