I'm really disappointed to see this get mentioned in this context, it's not relevant. At least on debian, ssh -Y and ssh -X has done the same thing since like 2013 because ssh -X is broken and causes clients to crash. The "sandboxing" there doesn't really work. And it's a lot more than a little love that they need to get them working, the whole reason Xephyr sandboxing exists is because Xsecurity and XACE are so broken that it's unusable. You can see more about this in another comment here: https://news.ycombinator.com/item?id=29092612