[ayende]

In most scenarios, you are no longer running with multiple users on the same machine. Either this is a server, which has an admin team, or a client machine, which _usually_ have a single user.

That isn't 100% true, and local privilege escalation matters, but it is a far cry from remote code execution or remote privilege escalation.

[heavyset_go]

User privilege separation is a foundation that allows many container implementations to work, and for sandboxes software like Tor or, for however unlikely it is that you're running atop on it, Android use, etc.

If someone is running Tor to not end up in prison/dead, their Tor sandbox can be opened for anyone to own, for example.

[eptcyka]

Root privileges allow for a much wider attack surface for escaping out of a VM. Not using root everywhere still helps with defense in depth.