Exactly I also find it slightly silly to immediately declare this 'insecure' in this case here.
If it was directly end-to-end on say a Nest Hub running a release version of Fuchsia then that would be a more convincing here, as that would confirm that it can be deployed and the bug can be exploited in the wild and in production and not on a newly built developer version running in an emulator.
The writeup of finding and exploiting this bug is impressive, but whether if you can use that exploit to directly attack a production version of Fuchsia on a device like the Nest Hub is another thing, which is the same way security researchers do to break live versions of other OSes like macOS, Windows, Android and Linux.
If it was directly end-to-end on say a Nest Hub running a release version of Fuchsia then that would be a more convincing here, as that would confirm that it can be deployed and the bug can be exploited in the wild and in production and not on a newly built developer version running in an emulator.
The writeup of finding and exploiting this bug is impressive, but whether if you can use that exploit to directly attack a production version of Fuchsia on a device like the Nest Hub is another thing, which is the same way security researchers do to break live versions of other OSes like macOS, Windows, Android and Linux.