Some limits to arguing about security:

Some objects need no authority beyond what their clients hold. Sometimes at this site we call functions provided by such objects ‘facilities’. You might think that bugs in the behavior of such objects cannot become security exploits, but if clients rely on the function of the facility to decide what to do with their other powerful capabilities, then this can impact security. One generally relies on objects that you use, but not always.

Suppose that object X generally holds capabilities more powerful than its clients. (X is not a facility.) Suppose that there is a bug in X. Suppose that all clients of X are of some fixed set of types that do not exploit that bug. With these suppositions it might seem that the bug is harmless. If there is a bug in client C, however, a client of C might exploit the bug to insert new behavior into C that indeed exploits the bug in X.