Can AppArmor prevent sudo password sniffing through abuse of X Windows System?

Quote https://www.whonix.org/wiki/Dev/Permissions#X_Windows_System

X Windows System

Any graphical application running under X Windows System (X11) can see what any user is typing in any other application for any user. [1] For example, if user user running X11 would run lxsudo -u limited-user some-application that application if compromised could sniff anything that user user is writing. Including but not limited to any sudo password prompts.

See the footnote on that page too.

Can apparmor prevent that?

Related:

https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html

AppArmor prevent access to the the API that xinput is using for global keyboard sniffing?

No. There is work on it though but I haven’t seen any progress https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorXace

SELinux can do this though (among tons of other things apparmor cannot). Switching to SELinux might be a good idea in the future.

SELinux is in Debian. Are you familiar with its syntax?

No, I’m not familiar with the syntax. SELinux is far more complicated than apparmor and harder to learn. I only have a basic understanding of what can be done with it.

Here was some interesting news for SELinux in years.

https://www.phoronix.com/scan.php?page=news_item&px=SELinux-Updates-For-Linux-5.6

Worth asking AppArmor upstream about this or was already discussed?

SELinux: not looking forward to research / debate NSA/SELinux. Best discussed in separate thread. Perhaps even one for technology and one for trustworthiness.

Another way to potential fix this:
Can we replace xfce window manager as an easy path to switch to wayland?

No point considering it when we don;t have someone proficient in profile writing. It would be absolutely worthless to us.

It was already discussed. See the apparmor wiki link above.