#Please, elaborate...

It's quite simple. Any explicit user-space security measure can be circumvented. security has to be founded on the bedrock of the system.

example: If the entity "garage door open button" exists, I can paste as much security on top as I want to. Anyone who can break out of their permissions cage can access it.

If on the other hand, said button had an intrinsic property that requires me to provide a pass code to access it, an attacker would at the very least have to break into the HAOS layer to circumnavigate it.

if that property was rooted in, say selinux, the attacker would have to break the kernel code to get at it.

It's in principle the software equivalent of having one of those cheap one-piece fingerprint locks that control the lock solenoid directly. All you have to do is pop the cover off and you can bypass them.

This has been requested for years: https://community.home-assistant.io/t/access-control-a-comprehensive-standard-integration-into-the-core/420145

I bet it has. Security and robustness isn't flashy and feature-y, that's why it always gets hind teat until it's too late. See Crowdstrike.

It is currently on the roadmap, but we have no ETA of when/if it will get added. LOTS of discussions around it, however.

Discussions are better than nothing, at least it keeps it in the forefront of people's brains.

I've been to IT-SA this year, it's been a real eye-opener to see all those demos.