I think you are mixing "official wayland reference" and some "advocates".
The offical Wayland reference does not talk about malware at all, as this is not not something that windowing protocol can solve. The best they can do is to promise "client isolation" -- which means that one client cannot affect other via wayland protocol
I am sure there are some Wayland advocates somewhere who are making dubious claims. This does not mean the Wayland security is useless -- this just means that specific systems are not secure yet. People on the internet can claim all sorts of crazy things, and you should not hold what random bloggers say against the whole system.
Re X11 sandboxing, from my reading, the general opinion is that X11 is impossible to secure. They did SECURITY extension, but it apparently does not work well, see this wonderful quote from Debian's ssh manpage [0]
> Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs currently crash in this mode.
What other X11 isolation mechanisms are there? Xnest breaks seamless window switching, things like VNC introduce a ton of latency.
So before the Wayland we did not have a desktop with solid client isolation, so not one cared about process isolation either. What's the point of running browser from trusted account if any random desktop app can steal its keystrokes? The best one could do was Quebes OS, and this had plenty of its own overhead.
Now with more people switching to Wayland this should help. It's far past the time that people stop assuming that
"one human user" == "one entry in /etc/passwd" and start separating services by account.
The offical Wayland reference does not talk about malware at all, as this is not not something that windowing protocol can solve. The best they can do is to promise "client isolation" -- which means that one client cannot affect other via wayland protocol
I am sure there are some Wayland advocates somewhere who are making dubious claims. This does not mean the Wayland security is useless -- this just means that specific systems are not secure yet. People on the internet can claim all sorts of crazy things, and you should not hold what random bloggers say against the whole system.
Re X11 sandboxing, from my reading, the general opinion is that X11 is impossible to secure. They did SECURITY extension, but it apparently does not work well, see this wonderful quote from Debian's ssh manpage [0]
> Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs currently crash in this mode.
What other X11 isolation mechanisms are there? Xnest breaks seamless window switching, things like VNC introduce a ton of latency.
So before the Wayland we did not have a desktop with solid client isolation, so not one cared about process isolation either. What's the point of running browser from trusted account if any random desktop app can steal its keystrokes? The best one could do was Quebes OS, and this had plenty of its own overhead.
Now with more people switching to Wayland this should help. It's far past the time that people stop assuming that "one human user" == "one entry in /etc/passwd" and start separating services by account.
[0] https://manpages.debian.org/buster/openssh-client/ssh.1.en.h...