So, the way I see it is: if XSS has to be uncrasheable, sandbox it.

Wrap it in something that's actually uncrasheable, and that will reload it unless XSS exits with code 0 or something

Or have a syscall to "freeze" the user (this is why Windows required Ctrl-Alt-Del to login - so that the login input was gatekept), but yeah, X11 is a mess

Sort of what https://github.com/google/xsecurelock recommends doing.

Also, xsecurelock doesn't run the input and PAM auth in the same process as the lock, making input bugs (https://news.ycombinator.com/item?id=21224179) harmless as well.