@lanodan @mia @phnt If your setup requires you not to trust the user, you shouldn't give the user access to things to start with.

They should be assumed to have control over their endpoints (and truly should have it too).

Possession of the hardware breaks essentially all the security guarantees you might otherwise have, anyway.

(Yes, multi-user systems are fundamentally problematic as far as security goes. Hardware vulnerabilities mean no amount of formal proofing & verification of the system suffices.)

Programs should be limited by capabilities (so should their addressing, they should have no access to raw memory), and users should be able to grant them as necessary. Due to the hardware vulnerability problem still existing, this whitelist approach /still/ means the user has to make sure the programs they use are not malicious because otherwise all the other security properties of the system may be defeated by the first convenient hardware vulnerability to be found & exploited (yes, this is antithetical to blackboxes, proprietary or otherwise).