add limitations section

Author: leafo

using/sandbox/linux.md

@@ -89,6 +89,16 @@ Each sandbox type handles game data storage differently:
 
 Because each backend stores game data in a different location, **switching between sandbox types may cause games to lose access to previously created save data**. If you switch, you will need to manually copy save data between these locations.
 
+## Limitations
+
+The current sandbox profile is designed for **compatibility** — it shares the X11 display sockets, session D-Bus, and input devices (`/dev/input`) with the host so that games work out of the box.
+
+On X11, this means a sandboxed game can still monitor keystrokes, capture screen contents, and send synthetic input to other windows. This is a limitation of the X11 protocol itself, which does not isolate clients from each other — any application connected to the same X display can observe and interact with every other client.
+
+If you run your desktop under **Wayland**, the display server enforces per-client isolation by default, so display-level protections are significantly stronger. If your desktop environment supports it, switching to a Wayland session is the simplest way to reduce this attack surface.
+
+Even on X11, the sandbox still provides meaningful protection: filesystem isolation (Bubblewrap redirects `$HOME` and mounts system directories read-only), optional network isolation, and environment variable filtering prevent many classes of unwanted access.
+
 ## Troubleshooting
 
 If a game is broken by the sandbox, try these steps: