X11 should restore its desired kernel kbd mode whenever the user switches back to its VT
So, I am pretty sure there's some bug with X11's handling of VT switches: when it operates on top of logind it apparently doesn't reset the VT's kbd back to its desired mode whenever the user switches back to its VT, and thus any keypresses end up both on the VT behind the X11 session and in X11. This then has the effect passwords might be leaked onto the console in the background and when X11 dies the user then active can see that.
There's a bug about this here:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993
It ended being assigned to systemd, and the Ubutnu folks prepared a change here, that was supposed to fix that:
https://github.com/systemd/systemd/pull/12378
With that change logind would never muck with the kbd setting if the kbd wasn't in unicode/xlate mode anyway, so that X11 doesn't have to reset the kbd mode on its own ever, because we never change it from X11's defaults.
The patch effectively made the kdb unusable in other cases hence:
https://github.com/systemd/systemd/issues/12616
I think I'll revert #12378 in systemd now, but this means this should be fixed in X11, i.e. it should be sufficient to call something like "ioctl(vt, KDSKBMODE, K_OFF)" whenevre it takes possession of the screen.
(That's at least my understanding of the issue, maybe I missed something, I mostly just did some armchair investigations.)