Currently, electron is run inside xvfb, which requires setuid permissions. This makes it incompatible with firejail, which means that we don't get as much protection as we would like for this service.
Lets track options for improving on this situation, and remind ourselves to address the issue.
Headless Chrome eliminating xvfb
The Chrome folks have started work on a headless mode, which would eliminate the need for xvfb: https://phabricator.wikimedia.org/T134205
https://bugs.chromium.org/p/chromium/issues/detail?id=625577 tracks full-page screenshots