It should be possible (and default in the X server really) to isolate X clients by only giving them access to the contents of, and events on, the drawables created by that particular client.
Combined with a way to authenticate privileged apps (which have permission to sniff for any input event and scrape any drawable), you can have your... security cake and eat your... screen grabbers and Guake hotkeys... too?
As it turns out, there are X11 extensions (SECURITY, XACE) which mitigate this problem somewhat, and Xorg has an extension (XSELinux) which allows fine-grained access control to X11 objects via SELinux policy. It's just that the distro vendors don't actually choose to enable it. (Red Hat seems to prefer sandboxing with Xephyr, or else force-migrating everyone to Wayland.)
Combined with a way to authenticate privileged apps (which have permission to sniff for any input event and scrape any drawable), you can have your... security cake and eat your... screen grabbers and Guake hotkeys... too?