sensitive

All the code I've posted so far just says everything allocated as GFP_USER is sensitive. So, not just file pages but also all anonymous user pages are sensitive. This already goes a pretty long way (it certainly adds a huge amount of extra engineering work for an attacker starting from a pre-ASI exploit) but as you've pointed out there are obvious things that it doesn't include that need to be protected. The other classic example to my mind is stuff copied into the kernel stack from userspace/VM guests.

In principle we should be able to flip this question on its head and instead make the question "what _isn't_ sensitive", i.e. isntead of marking stuff as __GFP_SENSITIVE with the default being unprotected (we call this "denylist"), we could protect erverything by default and mark exceptions as __GFP_NONSENSITIVE (we call this "allowlist"). So far the general feeling has been that it's more practical to start from something that people can actually deploy and evaluate without worrying about an unpredictable performance disaster. But we could certainly switch to an allowlist model later down the line, it would make good sense to me.