Confined applications need access to the pulseaudio socket.
Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path.
It also allows them to enumerate installed applications by listing clients.
The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands.
If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations.
Confined applications need access to the pulseaudio socket.
Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path.
It also allows them to enumerate installed applications by listing clients.
The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands.
If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations.