@stefano I was getting ready to defend them (on the grounds that a security architecture shouldn't allow full access to everything just because one machine is compromised) but of course the reality was much stupider so we don't even need to get into the subtleties of the first argument and whether it does or does not apply here.