[bitwize]

It's probably a better idea to throw BadWindow or BadDrawable when an untrusted client queries about windows or pixmaps it doesn't own.

As for dropping events... the idea is to isolate clients, such that it's as if X resources not owned by the client do not exist to the client. If the UX of the client depends on violations of that rule, then it's either a program like a window manager that should go on a trusted whitelist, or it's up to something nasty.

Note that Firejail does this by using Xpra as a proxy to the real X server.

[cycloptic]

IMO, X11 is practically unusable without NX/Xpra, but it has other UX issues and it still doesn't do exactly what you'd want. Throwing a protocol error is also bad UX. There's no way to present that to the user other than saying "hey this didn't work, go fix it in some other system-dependent place that I may or may not know about."