bloppe parent
It's not technically behind on window positioning. Rather, it was a deliberate choice not to support it. You can very reasonably object to that, but it is sorta a necessary measure to prevent clickjacking.
I'm amazed how both wayland and x11 miss the logical solution: let the user decide.
Any function that is a threat should be behind capabilities.
A program should be able to request moving its windows. The user should ultimately decide what should happen: allow or nah.
And common sense mitigations: if a new program I've never seen before drops an actionable control under my cursor, maybe just default to not immediately accepting the next input to it so I have a chance to see it.
And that, to me, is a sufficient reason not to consider Wayland as a serious option.
Did such an attack with crazy moving windows happen in the past?
I mean, you can create alternate APIs that would work for the pop-up use case: you could have a command to create a new window positioned relative to the current window’s coordinate space.
That limited capability still has a risk of denial attacks (just throwing up pop-ups that extend beyond the current window’s boundaries), but those can be mitigated in a number of ways (limit the new window’s boundaries to the current window’s, or just limit how many windows can be opened, etc.).