And an often under appreciated tenet of security — even a “good” software can be exposed to “bad” data, and you only need a bug (especially a memory bug, which is exceedingly common because linux userspace can’t get rid of c for the life of it) to have arbitrary code executed.
Like, your pdf reader is surely not evil, but do you trust every single pdf file you open?
I expect my PDF reader to be secure. If the PDF format is too complex to implement safely then the renderer should be sandboxed in the reader itself instead of preventing me from scripting using xdotool and similar.
And unless you fully sandbox your PDF reader then an exploit is going to have access to your user directory without any display server involvement anyway. X11 vs. Wayland doesn't even come into the picture.
That severy limits the usability and even functionality that programs can implement. If you want a phone os then go use one but don't make Desktop Linux into one.
Like, your pdf reader is surely not evil, but do you trust every single pdf file you open?