(Preemptive N.B.—I'm far from an expert, but I'm very interested in seeing this aspect of the topic discussed further by folks who might be experts.)
Isn't the general premise here that one can choose to package up any program in as many deeply nested (virtual or physical) sandboxes as one would like, but there's an inherent benefit to the piece of software inside all those boxes exposing to one's adversary as few avenues as possible to attempt to escape them (specifically as it pertains to people in the business of painting targets on their backs e.g. Soghoian)?
Put another way, of course Gmail and Chrome have dedicated security teams, but they won't ever have prevent $GIVEN_INFOSEC_RESEARCHER's box from getting owned teams.
Isn't the general premise here that one can choose to package up any program in as many deeply nested (virtual or physical) sandboxes as one would like, but there's an inherent benefit to the piece of software inside all those boxes exposing to one's adversary as few avenues as possible to attempt to escape them (specifically as it pertains to people in the business of painting targets on their backs e.g. Soghoian)?
Put another way, of course Gmail and Chrome have dedicated security teams, but they won't ever have prevent $GIVEN_INFOSEC_RESEARCHER's box from getting owned teams.