Is it really off topic, though? My point is that porting evince to GTK 4 now without further thought to how it ought to work in the long run may not be a good use of time. I’m really not sure. Maybe it’s reasonable to both port to GTK 4 and separately figure out how to sandbox the use of poppler, but maybe it’s easier to start from scratch with a WebKitWebView and PDF.js. I don’t know, but if someone wants to port evince to GTK 4, that would be the top thing I would want to think through before starting.
It’s not a maximalist view of security. Our core apps don’t have to be as secure as Fort Knox, but they should be more or less generally safe to use. We have a PDF reader: it ought to be safe to open a PDF without having to trust that whoever created that PDF will not try to gain control of your laptop. Currently that is not true because poppler is written in an unsafe language. That doesn’t mean we shouldn’t use poppler at all, but we should expect it to be hacked and design so that the damage is contained when it happens. Other core applications that I worry about: Image Viewer, Videos, Music, and Photos. Porting to GTK 4 is a major development effort, and an ideal time to think about how to make the applications safer.