> Pipewire runs under the pipewire user, managed by systemd or OpenRC. Which means any of their managed processes can start a new pipewire user process.

The box I checked has no pipewire user and it's running under the account I logged in with.

> A local priv-sec is one exploit [0] away from a remote one.

That only matters for accounts that talk to the outside world.

If I'm the only user, I'm not depending on security features to keep my account and the pipewire account safe from each other. Privilege escalation is a big threat for systems that are running in a significantly different way.