> the compositor then composites them together. to me, that feels more like the kernel is at the center of the diagram here: the wayland compositor is between the kernel and the output / input.

It's also possible to use hardware planes to get the actual graphics device to composite for you directly from its video memory, effectively reducing latency to the lowest possible.

Pretty sure Deepins DE uses this model

This has nothing to do with Wayland, only a poor implementation of a display server running a Javascript shell, namely called GNOME.

> If you want that start your processes as different users.

How does this make any difference if they're going to connect to the same IPC that handles input/display?

The display server must absolutely enforce some kind of security boundary between clients. Clients that are running untrusted code (e.g. a web browser) must not be able to hijacked into controlling a potentially privileged client (e.g. a root terminal).

If you reinvented Wayland, there's little reason you would t get the same thing.

The "limitations" are political, not technical.