[buildzr]

That threat model essentially prohibits "tmux attach", which allows an attacker running as your user to connect to your terminal session, so I don't think it's a particularly useful threat model here. That's basically exactly what we signed up for by using tmux.

[jchw]

This is definitely a useful threat model because people are running tmux on servers and almost certainly do not realize that this can happen.

You do appear to be correct that it's exploitable via other, also trivial, means. That does not make the situation any less bad.

[buildzr]

Running on a server doesn't change anything, you'd need to be running on a server where you routinely give people who shouldn't have root access, access to an account with sudo privileges with a password. And be relying on your attacker to not say, simply put aliases into your shell, replace your shell, modify your path, add an LD_PRELOAD, ptrace your processes, etc.

That should be absolutely no one.