And whitelisted processes don't have to take input from anything other than the user himself; a command-line screenshot tool that can be run by any program and doesn't ask for interactive confirmation through a trusted channel (ie. keyboard events directed into its own window by the compositor itself) would be a pretty stupid thing to whitelist unless you've got proper sandboxing for any untrusted apps.
