Description of problem: Start typing private data into any application, observe what happens when an IM client, web browser dialog prompt or similar pops up. Type Red Hat bugzilla password into IM client by mistake. It isnt safe for a window mnanager (especially one supposedly 'safe' for end users) to go around doing this. In the mouse-over focus case there isnt a lot you really do about it I agree but in click-to fpocus (the end user norm) it can be. I also know about "secure" mode in xterm, whooppeee, no other app uses it and no app has the context to know its needed. No basic end user knows about it either.
The relevant bug is http://bugzilla.gnome.org/show_bug.cgi?id=118372 See wm-spec-list for the details. We can use startup notification and the new hint to get this right.