> Regarding Wayland security, security has to be possible, but not mandated.
If it's not enabled by default, nobody will use it because it won't get testing and bugs won't be fixed.
> By locking down applications we make them less useful.
Only a very limited set of applications has to be "locked down" in the Wayland/Weston case. Any "classic" application won't even notice the change.
> Think for instance what will happen if the Unix shell mandated integrity of input or confidentiality of output for all programs: pipes would be impossible.
This is hardly comparable. On a classic *nix system, you use different users to separate tasks which should not interact with each others. Communications channels between users (pipes...) must be explicitly created, most of the time by the most privileged user. Without MAC (Mandatory Access Control) there is no confinement between applications from the same user.
With GUI applications, everything runs under the same user, so we can not rely on user separation anymore. In the Wayland/Weston case, only explicit user controlled channels allow interactions between applications (drag&drop, copy&paste).
> Having insecure input and output, _in_addition_ to secure ones, is clearly desirable and good.
Again, people will naturally choose the easy way over the hard way.
In order to work, security has to be default built-in design feature which should make common operation easy, and control uncommon operations.