Chris, I made some of these points in this back-and-forth that starts here: If not going to change the password? - #3 by entr0py
But I thought Marek’s reply on qubes-users was quite convincing:
The point is _if_ someone is able to run arbitrary code as user, he/she
can easily run it also as root, because of tremendous attack surface of
linux kernel and all the services running as root. In the worst case one
needs some patience and simply wait for you to authorize some command to
be ran as root (regardless of authorization method - password, qrexec
confirmation as described on https://www.qubes-os.org/doc/vm-sudo/ or
anything else). In the simplest case one may alias 'sudo' to for
example 'sudo /tmp/my-evil-script'.
On the other hand, making it harder to execute arbitrary code in the VM
(reducing attack surface) makes sense. Things like SELinux, AppArmor,
seecomp filters etc.
Certainly, there’s a psychological comfort in clicking off root authorizations. Feels like I’m in control… maybe that peace of mind is worth it even if the security posture is largely unchanged. Guess as long as that comfort doesn’t lead to more risky behavior, no harm done.