Just want to share some thoughts on Genode and SculptOS security.
As an experienced Windows/Unix/Linux user I got used to the concept of a “multiuser” system taking it as a “natural” way of system security control.
Thinking about it in historic perspective I have an impression, that this was a design decision that was developed for the systems of the past - the mainframe computers.
In the era when computers were at least as big as wardrobe and very expensive it was physically and financially impractical to give each user his own machine.
So naturally the time-sharing concept was born allowing multiple users to work with the same machine at a same time using remote thin client terminals like VT100 etc.
In such systems naturally arises a problem of sharing and isolating computing resources between users, so no user could accidentally or intentionally intrude into other users work.
On top of that for user management convenience and better granularity the users groups were introduced also.
And if we have multiple users, then there should be some sort of a “super user”(root or admin) that can manage all the users and have full access to the system. As well as a “super user group”(wheel) to allow to have more than 1 administrator of the system, leaving “root” user for very rare occasions.
But since Unix, Linux (and others?) are file-based systems (everything is a file) the multi-user concept should also work for the files and directories. So users could not access other users files and directories without corresponding permissions.
Later those simple user-group-other permissions were extended into POSIX ACLs etc. to give even more granular control over file-system resources.
Fast-forward 40-50 years.
Now we have a big variety of file systems that store not only data but also permissions metadata, that give OS a hint about who in the system is allowed to access what and how. And majority of OSes are multi-user by nature.
Though the times have changed: hardware is cheap and extremely portable. Each of us has at least 1 powerful computer for exclusive private usage (smartphone). Many people even have more: A laptop or PC for home + a laptop or PC for work etc..
Everyone has a rich client that is used to access different internet services and those services are distributed over dozens of physical servers. They have their own definitions of users completely disconnected from OS-level users and groups.
So the situation flipped in general: we don’t share OS between users anymore, we share a user between devices and internet services. So nowadays there’s almost no more real world cases for multi-user OSes.
Genode is one of the few that didn’t take the same multi-user approach (yet?). Because it provides an improved alternative: capabilities and components isolation in place of permissions and ACLs.
So effectively there is 1 and only user of the system with full access and responsibility.
Should someone what to have a remote access to manage some part of it?
Fine, create an ssh component limited to that part only for that one user. User or need left - just kill it and forget.
Should someone want to have multi-user service (like web server or data base)?
Same thing, no need to have an OS user here either, just create a subsystem with it’s own user base. And kill it when it’s not needed anymore.
Want to use it for yourself at home/work?
Why would someone a need multi-user access anyways for this scenario?
Thinking this way I believe SculptOS doesn’t need multi-user support. No users means no users and password management, means no ways to attack system through those.
And also it doesn’t require a POSIX compliant file system with permissions and ACLs metadata. Any file system without those will do just fine.
I love this aspect of the Genode and Sculpt system! 
Though we still have some security issue here - physical access to the system. In the world when a computer literally sits in a pocket and can be stolen or accessed by anyone this a big risk.
When I tried the gui_locker from @alex-ab I immediately fell in love with the idea of one-time passwords. It’s amazing! 
No need to store and manage passwords, they are always changing and there is no way of brute forcing them without keyboard-like device!
Now I’m thinking about possibility to extend it to the sleeping and power off states. Of course keeping that optional, so if one doesn’t want he can skip password protection and have the system turn on or wake up next time without any password prompt.
I would be happy to have this feature and I think this will solve the issue of physical access attacks. Combining this with the FS encryption might create a really strong security feature of the system. 
Not sure if I’m oversimplifying or missing something here though 