Hi Martin
Good point about the depth. I guess we should consider that.
Regarding -localhost, yes that is a good security practice. On the other hand this is nothing that is started by default, it is always started by a human (or a human writing a script for it) so it is not a very important thing.
However there are plenty of use-cases for connecting to local host. You can run applications in a chroot, you can have a different desktop session as another user in the vnc server, you can have that server running there with more important tasks that must survive in case you have to restart your desktop session and so on. So there are plenty of use-cases. However they may not be the most common ones of course.
// Ola