Is that a reasonable argument against using X11? Sure, for some use cases. Is it a good argument for wayland/windows/OSX/whatever to do your tiling WM experimentation? Not really, those environments kinda suck for playing around with.
[1] Or "local-ish", your system or a trusted remote has to have been compromised already. Untrusted X11 protocol still exists but is deliberately disabled (and often blocked) everywhere. Even ssh won't forward it anymore unless you dig out the option and turn it on manually.
It's not like it's not a valid argument, just that it's sort of a nitpick. Security is hard, and defense in depth is a thing, but this particular attack surface is way, way back in the "depth" stack for a modern app deployment.
We've had to give up so much flexibility. Wayland certainly focuses on plugging this hole, but it means we've lost all these cool utilities like this one. There was just so much you could do with devilspie, xdotool, and others to make sure my operating system and window environment worked for me.
I still really miss X11's Zaphod mode, where you had two independent X sessions (:0.0 and :0.1) on two different monitors, with different window managers and different windowing rules.
I miss the days of being able to trust my computer and trust my software.
Wayland breaks a lot of these tools because it is so much simpler than X.
Again, this isn't the fault of "Wayland", which is just a compositor framework. The complaint is that the ecosystem of "desktop" software which evolved around Wayland is an ad hoc monstrosity that lacks the unified structure that its ancestor had way back in the X11R5 days.
You can say many things about Wayland, but it's "simple" from a point of view I for one really do not care about. Wayland may be "simple" in some respects, but it makes most of the things I care about doing unnecessarily complex.
That's only true if you decide to trust it.
You can deal perfectly well with software you distrust, and not have it harm your system.
Browser sandboxes pretty heavily though of course one does want to be a bit careful there too.
Why exactly should we perpetuate the insecure old single-privilege-level desktop model?
Coincidentally, it's also the best experience, for whatever reason it's the only on that supports virtual backgrounds on Linux for me? Neither Chrome nor Desktop seem to work for this.
Thankfully, for a lot of software, there is no reason to ever give them network access in the first place.
As for the rest, they may have "analytics" (spyware) but are there any documented cases of any of them acting as an X11 keyloggers or covertly screenshotting the users desktop? Those are the threats Wayland asks us to fear. And Wayland won't protect us from the rest. If Firefox or Audacity phone home with reports about what I'm doing with those applications, Wayland won't stand in the way.
Because after 10 years of heavy development none of the waylands have managed support simple things like screen readers. X11 supports screen readers and innumberable other vital accessibility features that wayland never will be able to. Some waylands might eventually develop extensions for their particular desktop but there won't ever be a way for wayland protocol because it can't. Security theater is more important than accessibility/usability for wayland that leaves many use cases and entire demographics of people out in the cold.
So yes, X11, which is still the least worst option. Better to have the ability to do all things than have to wait decades+ for developers to write complex extensions to do things (and just for their DE, causing fragmentation).