The D-Bus interface is rather small but strangely completely unauthenticated. It allows all local users (included nobody et al) to e.g. lock an active session or switch between sessions. Also the creation of a session seems in reach, however in my tests it failed for some reason that I don't fully understand. Maybe we can configure something in our packaging that leaves less attack surface there ...