@bhaak Compared to "users directly downloading and running VideoPlayer9000NotAVirus.exe" as mentioned above, an attacker having to actively exploit anything at all is very much "depth" in this circumstance, even if it turns out to not be all that deep.

(Sidenote, I wonder if VLC would be interested in implementing native "blast door" sandboxing and privilege-dropping in the GUI player similar to what browsers have done, if they haven't already?)