Pays to read.

Short version. You know that different endianness support between client and server with X11 protocol we decided to allow history in way that can be changed at any time turns out to be a down right horrible idea and you should simple disable. Of course users disable because they have some application they want to use.

Once you start doing all the recommendations to configure X11 to be secure like disable the endianess problem turn on XACE with selinux and so on the result is your X11 solution basically totally not usable.

The fixes to lots of X11 server security problems is know. The problem here is the fix to X11 protocol security problems end up being X11 protocol breaking equaling your applications don't work any more.

The idea of could have easily fixed with X11 is because you have never used a secured version of X11 where it questionable if move a window will work let alone anything else..

[ if things on Wayland are not functional, there's hardly reasoning for a change. Seems X11 is more concerned (or functional) with older and maybe also deprecated hardware or exceptional settings, because of years with users demanding difficult or rare implementations.
From my pov&experience Wayland is not mature for 'every' former setting&hardware requirement, but probably is for more conventional requests and (recent) standards. ]

On a correctly configured machine, it is impossible for an unprivileged user to access the raw framebuffer. They have to go through X (and its authorization process). Some operating systems don't even provide a framebuffer device (i.e fb0).​ Same with the raw input devices and drm devices, they are inaccessible to unprivileged users.

Some distros weaken this for both Xorg and Wayland compositors using the video or input group and shoving users into it which is a bit daft and is basically a security hazard. Instead the display server is privilege separated (preferably also using something like pledge(2) and unveil(2)) and its effective uid is in the correct groups.

I'm not talking about reading the raw framebuffer, but to access other applications windows, and that includes the root window.

you specifically mentioned "framebuffer"?

As I mentioned before, only applications that you give permission to (by giving them access to the Xauthority file), will be able to access your Xorg session.

I.e An application run in i.e an Xnest, Xephyr, etc with its own Xauthority file (and display socket) will be unable to access any of your other programs running on your main Xorg session.

Did you actually read the bug discussion? They didn't fix it because it wasn't their code. I don't know what that says about Chromium not working with X security extension, but it's not somehow worse that the bug was not addressed by Google; it's a perfectly normal outcome.

Somebody is really upset. It seems you could just release X11R7 but got real busy with other wonderful things whatever they are. I understand you can't do everything and how upsetting the others fail everything else. Still, I have hopes you can spare some time to help with X11R7. Listen to this guy everyone! He is yelling for god's sake!

Complaining that VRR and HDR are eye candy is stupid. Of course they are, and we want that eye candy. I don't see how HDR is not a functionnality for a photo editor, VRR is nice for some animations...

Some enterprising bastard got to X11R7 before him: https://www.x.org/wiki/Releases/7.0/

Oh well, there is always X12 to work on.

Someone's mad X11 gets closer to perfection and zero exploits while Wayland will forever remain a crippled garbage.

Cope harder.