I am using Nix everywhere and have some packages contributed, so I do know how it goes - and there absolutely are cases like I have mentioned. Sure, apps can be patched, problems can be circumvented, but a fundamentally malicious/ignorant program can end up a pain in the ass for nix to manage (without bringing out the big guns like build FHS env)