pros: - 'fixes' SIP, suid, caps - fixes static binaries cons: - kind of a pain to implement - DNS would require actual parsing, which is apparently a hard problem even for 'minimal' implementations: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html. I think an initial hybrid implementation could punt on this, and it would still fix the ugly hack of hardcoding SIP paths.