-- something that's bugged me a little is the way Unix has lots of protection from different users spying on each other, but the way I actually use it on my laptop, there's just one user (and sudo and ssh-agent allows that user to easily get additional access to the system or other systems). So if a program misbehaves, or my web browser has a vulnerability, it's game over.
In that vein, I thought it might be interesting to try doing things a bit differently. So on my new laptop, I'm running chromium via "xpra ssh:aj-web@localhost:100" instead of directly -- so even if there are exploits, it can't do anything onboxious my actual data, or get access to sudo, or ssh anyway using my agent keys. Of course, this will probably be annoying when I want to upload/download stuff, but hopefully that'll be mild.
I think xpra gets the right mix of features to optimise for security -- X lets apps peak at other apps' display, input, and clipboard, but detaching the xpra session should block that if you need to do something more sensitive than normal (banking passwords?), and you can just reattach and pick up where you left off afterwards. Having chromium fire up libreoffice or similar to view untrusted documents all as a sub-privileged user seems like it also works about right.
So far xpra seems pretty great; it's working fine for typing this, eg. It seems to play youtube vidoes okay even, though for some reason sound is entirely disabled. I guess I could try changing the "speaker=off" setting in /etc/xpra/xpra.conf at some point though...