Pondering the X client vulnerabilities

While you are kind of right (Windows apps are equally open to each other, etc), the point is moot when the owned part is the display/X11 server. Because it's the server that is sending your client the keystrokes that you type in your keyboard, and your client cannot distinguish real keystrokes from inserted keystrokes (well, using some sophisticated timing techniques, it can *try*, but all bets are off anyway.)