Modern operating systems (OSs) must balance strong security guarantees with
accessibility obligations for blind users mandated by regulation and principles
of equal treatment. Screen readers (SRs) translate user interfaces into braille
or speech, but today’s SRs operate as large, monolithic processes with
privileged access to input, output, and application state. This design places
SRs in the trusted computing base (TCB) and exposes blind users to high risks:
A compromised SR can inject input, capture sensitive output, or impersonate
trusted system messages.

We argue that SR functionality should be refactored into OS services with
strict isolation and least privilege. Our proposed architecture decomposes
input handling, output multiplexing, and braille-device access into components
mediated by the window system and the kernel. This separation removes global
event channels, reduces the TCB, and limits escalation paths. Our design aligns
SR security with existing OS protection mechanisms, thereby shrinking the
attack surface for a critical yet under-protected user group.