Defending mounted filesystems from the root user

Sure, perfection is impossible for anything sufficiently complex. What I really meant was fixing the issues one knows about, and having the attack vector in mind when designing and writing new code. Not saying the current maintainers have to tackle all that in addition to everything they're already doing - it's clear that adding more work either leads to everything moving at a slower pace, or someone needs to step in and fund more developers. (Someone volunteering is of course also possible, but I have a hard time imagining that "I can use root privileges to make the kernel do funny things" is many people's most important itch to scratch.)

I also should probably have qualified the "never crash" with "in a way that potentially allows privilege escalation". If removable media were by default mounted using something like lklfuse, that would IMHO be a big step in the right direction. But I think this should be mainlined, or decoupled from the actual driver code so much that it can use arbitrary kernel images or modules. Using different versions of the same fs driver (with a different set of features and bugs), potentially interchangeably on the same device, sounds like a recipe for compatibility issues.