As noted in the sandbox meeting today - and also in Bug 1554110 although that's about a different situation - a content process can debug another content process. Fixing that requires INTEGRITY_LEVEL_UNTRUSTED which requires a lot of refactoring we're also doing for win32k.sys lockdown.
However, a hack available to us would be to start the privileged content processes (both the Privileged About Process and the Privileged Mozilla Content Process) with Medium Integrity which would prevent them from being debugged by a (Web) Content Process running with Low Integrity.
Obviously if you can get RCE in either of the Privileged Content Processes that's bad; but how bad is it from an OS sandboxing perspective? You can't debug the parent process right?
Bob - do I have that all this correct? Should we do this?