Weston, please allow command line options to Xwayland. with firejail, this can prevent non x11 apps spying on x11 apps
Submitted by pix..@..il.com
Assigned to Wayland bug list
for example, Xwayland could have command instead of path
[xwayland] command=/usr/bin/Xwayland -nolisten tcp -nolisten local
then sandboxes like firejail can make local x servers for apps that cant see eachother, or prevent an app from seeing x11 at all, without having to make a new network namespace.