Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.

Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?

Would Wine be better with Microsoft working on it? The frequency and severity of regressions in Windows has been increasing for years now. Maybe for Wine to be a more accurate representation of Windows 11 it needs more bugs and less functionality. The Windows team is good at that.

You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.

That sounds like build automation. You can use some Git forge software.

It’s not even good. It’s just scripts for some starter Arch rice, not a serious distro.

Some Unity games may be launched with a parameter that causes them to execute arbitrary code. It seems like it only makes sense on Android. Windows and Linux games can normally only be launched by a process with the same or greater privileges than the process being created, but on Android you can elevate privileges by invoking another app. In practical terms, another app can access the save data of your mobile games.

There was also something about games that register to be launchable directly from a webpage, which would allow web sites to escape the browser sandbox, but it didn’t sound likely.