> Rather, I'm looking for a full separation between the users, > nothing shared but the obsd kernel and hardware, and no more overhead for > each one than X normally has, since each user is just running > flat normal X, but fully and independently of the other X user. Am I > mistaken in how I understand Xnest and Xephyr? It's possible to run multiple X servers. As far as I know all you would have to do is add another line to /etc/X11/xenodm/Xservers and edit /etc/ttys to not launch a tty on the console window you selected.
Altough you don't really need multiple X servers for privilege separation. ssh and vnc open an untrusted connection to the X server, which you can do manually with xauth. I managed to get Firefox running as an untrusted client with the following snippet in /etc/X11/xenodm/Xsetup_0: user=_firefox auth=/home/$user/.Xauthority umask 077 xauth -f $auth generate :0 . untrusted timeout 0 chown $user:$user $auth chmod 0600 $auth And then starting it as the unprivileged _firefox user.