>> which causes arbitrary code to be executed on your system, which might
>> then do something like install a spam bot or post your private keys to
>> some irc channel.
>...or exploit a kernel bug, disable SELinux, escape the sandbox and all
> the other bad things you're saying you're protecting users from.
Which would be harder to pull off than not having to find and successfully exploit a kernel bug.
>> This is an application of the principle of least privilege[...]
>instead it's giving innocent users a false sense of security. but if
>you actually believe your own statements, you're free to give the
>whole world arbitrary code execution rights on your personal box and
>see how long it'll last ;).
Any false sense of security would be the fault of the presentation, not the implementation. Would it be fool proof? Of course not, nothing is. Would it raise the bar, making it less likely for your system to be successfully compromised? Yes, at least once the implementation is matured and when used properly.