> no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.
I could see that making sense. Maybe a "really important core OS" attribute? (I wouldn't want `rm /bin/sh` to run without forcing either.)
However,
> If a program can break the operating system that is a failure in the operating system's sandboxing or permissions.
Not necessarily. I have on multiple occasions logged into a machine, gotten a root shell, and then told it to wipe its own disks (either by block discard, or just dding over with /dev/null). That is a legitimate use that should work.
>and then told it to wipe its own disks
This can be done via a dedicated factory reset or wipe feature. It doesn't need to be the responsibility of rm.
It sounded like you were arguing that no program should be able to do it, which makes it somewhat difficult to implement a wipe feature. (And whatever wipe/reset feature we have needs to be done by some operating system, because a solution that requires adding new features to everything's firmware is a non-starter in practice)