Wayland doesn't provide meaningful security for that case. It's true that there's no protocol support for arbitrary buffer access, but if you're running as the same user (as is the case here) it's comparatively trivial to dup the drm file descriptor and remap the buffers. You may need to be able to guess (or just probe for) the handles though, I'm not sure.