Wayland is a simpler, modern, more secure alternative to the popular X display protocol; however, some programs break under Wayland because they're designed for X. XWayland exists which runs an X Server as a Wayland client, and any programs needing X simply run under XWayland instead. XWayland is isolated just like other Wayland clients.
However, within XWayland, the X clients are not isolated from each other. This is obviously a problem. For example, neither Chrome nor Tor Browser support Wayland, and this means they run under XWayland; an exploit in Tor Browser could bypass Chrome's security features and record the browser content, rendering much of the security pointless.
Is there a way to run a separate XWayland server for each program? That way, they would all be isolated as Wayland clients. I don't want to use a new TTY since that gets inconvenient and changes workflow.
Best Answer
I figured out how to do it.
While in your compositor, open a new instance of your compositor (for example, Weston inside Weston) and open each XWayland-required program in a separate instance. They will each be isolated and have separate XWayland servers.
This is a hack, and wastes screen space, so if others have a cleaner solution please answer.