This should be mentioned in the talk, if I recall correctly. We’ve assumed “compromised jail” as a starting point to highlight the discrepancy between “root in jail” and “root on host” that has appeared with the invention of jails. And how some subsystems that were made “jail-aware” over the years, don’t take this distinction into account enough, unfortunately. Thanks for the feedback, much appreciated!