Rather, I'm looking for a full separation between the users, nothing shared but the obsd kernel and hardware, and no more overhead for each one than X normally has, since each user is just running flat normal X, but fully and independently of the other X user. Am I mistaken in how I understand Xnest and Xephyr?
Right, I think the vnc / Xnest / Xephyr suggestions assume you've got one "main" user accessing the sessions that belong to the other users.
I don't really know enough to comment on how much any of this helps with security.
-- James
