Unix has always had incredibly weak protections between users. You shouldn't rely on it as a security boundary. Think of it as a "keep honest users honest" protection. And llms are not honest.
The protections between users are reasonably strong. Android uses them with great success, by isolating every vendor within their own user. Things start going to hell when everything runs under root for "practicality reasons", like the default, not-rootless Docker setup.
I've seen this sentiment a few times on HN recently I wonder where it comes from?
The only thing I can think of is that if the protected files are on a unencrypted drive, then you could boot from a live-usb(or similar) where you have root and read anything. But that's completely irrelevant as we're talking about a piece of software running on a system without root. In this scenario Unix user permissions are safe, barring user error (such as accidentally granting root, like in this instance)
Of course security holes happens, such as copy-fail, but it's pretty rare in the grand scheme of things, and tend to get patched quickly(like copy-fail was)