When trying to ssh -X to a Cloud CPS box, I get (with -v) X11 forwarding request failed on channel 0 and forwarding is not set up. The usual workarounds (installing xauth, adding X11Forwarding yes / X11UseLocalhost no to sshd_config) do not seem to work.
It creates a tunnel inside the SSH connection through which applications running on the remote machine can connect to the X11 server of the local machine (so you can e.g. run selenium tests on the remote and see the browser window as if the browser were running locally).
In this instance, I was just trying to forward the connection from the labs-vagrant box inside that cloud host (so ssh -X into the cloud box and then run vagrant ssh -- -X) but X11 forwarding is broken somehow. Connecting to the vagrant box directly works.
Hm. In non-trusted mode only the ones that are forwarded from that host, but apparently Debian uses trusted mode by default...not sure what exactly that means. All keyboard events at the very least, probably screenshots too.
Apparently firejail includes an X11 sandbox which is another way to prevent access to local windows.