Before we go down this path, I'd like to see a high-level plan for
dealing with this.  The NetBSD kernel interface, at least, seems not
to do per-user checking of credentials against objects in the
minicache.  So, I think it's probably necessary to fault per-uid
permissions into the minicache from venus when a new uid accesses an
object.

All that said, I think fixing the repair bugs in venus is far more
important.

  I want to be able to walk to any reasonably maintained computer,
  whose administrator ran "coda-client-setup" once, use Coda and feel safe.
  It is perfectly possible, isn't it?

Perhaps for you, but the set of people I trust to run a computer well
enough to trust it is pretty slim anyway.

Certainly coda should change to something more than xor.  Until then,
you don't have any rational basis for feeling safe, other than a
threat model that says no one is after you and blackhats are probably
not going to write coda serve spoofing tools.  It would be a fun proof
of concept though, and perhaps what it takes to replace xor!