IPFS and security on localhost

I’ve got a question I’ve been wanting to ask for a while. I get the impression that IPFS often assumes that whoever is running the IPFS daemon is the only person on the system. I say that because by default the IPFS api binds to localhost. I’ve heard some people suggest protecting the API by putting it behind a gateway but that still doesn’t keep anyone else logged into the system from accessing your running daemon. I think you can restrict access to localhost on some specific port to some particular user using iptables but you’d have to be root to do that and if you have a system with multiple users logged in there’s a good chance you don’t have root.

In Linux, you can specify a unix-socket listen address for the go-ipfs API. And then you can control who can read/write just as if it was a regular file.