Two things, 1) Rootless X server has been introduced in the Linux world with the opensource gfx drivers preparing to take advantage f this. 2) SELinux has the ability to run a GUI program sandboxed with its own copy of X using Xephyr.
There is no easy solution. Running each GUI program sandboxed with its own copy of X does not sound very practical.
But, except intercepting keystrokes on its own from the whole X server, what is the purpose of xinput? Is it used by any other package? In Debian, it comes as a separate package. So in the meantime, I have run “sudo apt-get purge xinput” in both the host and and Whonix workstation. At the moment, that seems to do the job without penalty.
Purging xinput won’t do the trick. It’s a diagnostic tool but not required to get the functionality of it.
The idea of separating user accounts is, the if one user account is compromised, but root isn’t, that the other user accounts can have their private data untouched and unread by the compromised one.
Any user account that is compromised can simply re-implement xinput’s functionality itself, such as the malware could download a plugin to get this functionality (or come with this functionalist in it’s core).