Next easy attack vector is (non-rootless) docker run with rootfs mount, many are in docker group even when sudo is protected.
Also, most sensitive data is in the user scope anyways (on a PC).
You should always run dev stuff in containers to start with.
And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors
You should always run dev stuff in containers to start with. And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors