Wayland is developed by people who don't take security seriously at all. So security arguments are irrelevant here and do not favor wayland in any way.

I'd say wayland is just a new thing that breaks everything in an attempt to break less.

Except it does actually support keyloggers while breaking the concept of global keybindings. It's like the worst of both worlds.

It’s a red herring anyway. All processes owned by a user can influence all other processes owned by that user, either directly or indirectly. It’s basically impossible to prevent. Don’t run code you don’t trust and don’t let things you don’t trust connect to your display server.

Well, you don't have to run an untrusted program as your user account, you can sandbox. If you run something in a jail and pass it a wayland socket, it will be able to display, but won't be able to modify your files.