Full screen spoofing security
Allowing an application to control full screen at all is at odds with maximum security: the application could pretend it's the real desktop and steal secrets this way.
If we want to guarantee some high security level (a setting?), there should be a permanent, unfalsifiable indicator whenever the screen is controlled by something that's not the shell.
We could skip that, and offer an unpreventable "dream out" gesture (input), upon which the screen would be forcefully given back to the shell. However, this approach is a little worse, because the user would first have to get some suspicion that something's wrong, and then they would have to remember what exactly the magic gesture was.
This needs cooperation between:
- security (what will be sufficient)
- design (what will make sense)
- management (what do we want to provide)