lol, you clearly have no clue. SELinux and other MAC systems are the only thing that can protect against a hostile actor getting remote root.

You need to get root in first place. Good luck trying to crack any pledged process running something outside it's allowed syscalls without being ABRT'd in zero time.

Yeah, it's not like OpenBSD hasn't had remote root issues before...

And this is exactly what I'm talking about. Putting more energy into hoping no one ever gets root rather than providing anything to protect against the scenario where it is obtained.