DataDrake I apologize for chiming in here, but I don't believe this to be FUD at all. You can test it out for yourself (in my case I did it on GNOME 40):
- Install an xorg keylogger like x11log
- Start a program that requires root (like gparted). GNOME will ask you for your password. The keylogger will record your password.
- Start a gnome-terminal
- Run a command using sudo, which will ask you for your password. The keylogger will record your password as well.
Now do the same in a GNOME Wayland session (using another distro, since it doesn't work on Solus). You will notice that in both cases your password will not be logged by the keylogger, so wayland effectively protected your login password.
You'r not 100% incorrect however. By default, Firefox runs via Xorg for example, so the keylogger will log all your online login credentials, which is definitely bad, arguably even worse than your login credentials. For firefox at least you can start it in wayland mode by setting the MOZ_ENABLE_WAYLAND=1
environment variable before starting firefox. This WILL protect your online credentials from Xorg keyloggers.
Even worse: On Xorg, any application has full access to the entire screen, so screencapture and screenshots are possible from any application. On Wayland (for GNOME at least), capturing the screen requires the use of an xdg portal, which will display a window from GNOME that asks you if you want to share your screen with the given application.
You might still argue, that any application that runs with your user privileges can easily escalate it's privileges to do the same, even on a wayland session, and you would be right. But that's where flatpak comes in for example. On a wayland session, a flatpak application is usually isolated in such a way, that it can neither log your keystrokes, nor capture your screen and it also can't escalate it's privileges enough to gain these capabilities. On Xorg however, the flatpak sandbox is ineffective against screencapture and key logging.
This definitely isn't a black and white issue, there's a lot of gray here, but I don't think calling @pospikxd 's security concerns "FUD" is fair!