The problem is that arbitrary users can cause nix to unpack arbitrary nars and edit arbitrary files that user shouldn't have permissions for. The system doesn't have to be configured to trust any particular binary cache. This is just straight up persistent privilege escalation, plain and simple.

> It seems like a binary cache can already get root on your system

No, rootless Nix is pretty well supported.

Wondering how vulnerability applies outside NixOS. Does Nix outside NixOS also has such access over the system?