oh and this thread should be "closed down". Bodhi is correct on all accounts. The ideas here are merely theoretical and actually have no practical implications...
I see it other way around: as long Adobe Flash player is closed source and widely used, it is _not_ a theoretical... (How many people advice - "do not install Adobe Flash player"?)

I could have userTrust for 'private/bank/credit cards' things. I could adjust home dir permissions - not readable for others.
Then, I could have another user - userBad. As userBad I could run Firefox with Adobe Flash plugin - adobe flash installed/enabled _only_ for userBad.
And the fun stops there - adobe flash have access to do key logging. Yes, it is me who install Adobe Flash and give permissions to X server.

Then I found, I could run Firefox+Adobe Flash in second (nested) X server (Xephyr), but in that case GLX does not work - performance is like if I remove/uninstall Adobe Flash.

For me, it is a security problem. I can understand if one X application/window can see all running X applications/windows (like to see the list of files)...
But ability to intercept the data designated for another X application/window (like to see the content of file/doc) - I do think it is not OK.


(note: I did try to read all old posts... sorry if I missed the point)