Well, I find that innecesary. If you set OpenBSD encryption with bioctl, no one will tamper with your data if the machine is turned off. On the exploits, very difficult to do so, pledge, unveil and OpenBSD mitigations work.
And the login manager it's usually XenoDM (forked XDM), GDM or whatever X.org based DE manager the user got installed, and that's impossible to tamper with with user permissions.
On potential malware, well, first you need to run it, and yes, any software could dump keyboard and mouse input under your account by design, but for sysadmins, XTerm has a secure keyboard input mode where the keyboard and mouse are bound to that XTerm window and you can't do anything else except to type in that XTerm, because the input it's locked to that window.
Nothing can't sniff from that terminal emulator window, the channel is locked.
The only thing you could do it's to switch to VT with Ctrl-Alt-[F1-F7], but forget doing anything
in the window manager. You can input to the XTerm and select info with the mouse and no more.
And the login manager it's usually XenoDM (forked XDM), GDM or whatever X.org based DE manager the user got installed, and that's impossible to tamper with with user permissions.
On potential malware, well, first you need to run it, and yes, any software could dump keyboard and mouse input under your account by design, but for sysadmins, XTerm has a secure keyboard input mode where the keyboard and mouse are bound to that XTerm window and you can't do anything else except to type in that XTerm, because the input it's locked to that window. Nothing can't sniff from that terminal emulator window, the channel is locked.
The only thing you could do it's to switch to VT with Ctrl-Alt-[F1-F7], but forget doing anything in the window manager. You can input to the XTerm and select info with the mouse and no more.