i have looked at what is run by what with ps fax and with system monitor.
though many programs are run by gdm, among them there is nautilus, they all are run in "x-session-manager" branch and nothing is run by Xorg. only two things: Xorg and x-session-manager are run by gdm directly. what will be if i restrict only Xorg? if videodriver is in Xorg it would work.
how can i restart Xorg? quitting and logging in, i think.
and firefox is not run by x-session-manager. i have just started gedit to check and see that it also does not run in gdm branch.

what do you think about restricting installer of ".deb" files? to install deb files for ubuntu that are got from different sites relatively harmlessly, because deb file can (or always?) contain script and it runs as root. as i know there are many deb files of newer versions of programs that are in ubuntu's own repository and also of programs that are not in the repository and among them closed-source programs.
for example process of installing of deb file should not browse files in /mnt/ subdirectories, i think.