I guess my question is: Why shouldn't "take a screenshot, either of a window, the whole screen, or a portion of the screen" be something that Wayland itself be expected to handle?
I mean, if you're worried about security of apps from other apps, don't make it something in the apps' domain. Only allow Wayland to take the screenshots, but support that, make it easy, and you won't need to worry about either the security model or users complaining.
I mean, this is the way other OSes do it...to the best of my knowledge (which is certainly not comprehensive) neither Windows nor macOS allow arbitrary apps to screenshot arbitrary portions of the screen; that's handled by the OS itself.
I think that (the compositor doing the screenshotting) is already the way it works. But "screenshots" (i.e. fed to the user as files / on the pasteboard) are the exception, not the rule, of the use of this API.
The normal, non-edge-case use of the relevant screen-capturing API is for screen-sharing ala Zoom, or for remote desktop using RDP et al. These are use-cases where one app wants to see what's going on in other apps — exactly the thing you wouldn't want a malicious app to be able to do, but also exactly the thing that you do want these apps to be able to do.
I mean, if you're worried about security of apps from other apps, don't make it something in the apps' domain. Only allow Wayland to take the screenshots, but support that, make it easy, and you won't need to worry about either the security model or users complaining.
I mean, this is the way other OSes do it...to the best of my knowledge (which is certainly not comprehensive) neither Windows nor macOS allow arbitrary apps to screenshot arbitrary portions of the screen; that's handled by the OS itself.