why- Open BSD .rocks

unveil(2) (∞)

The unveil system call limits the filesystem open call to a given set of paths. It extends the idea of pledge: simply limiting programs to open is insufficient, because open is valid for the the whole filesystem.

For example, why should a program like passwd(1) have access to your file system beyond /etc/passwd and /etc/shadow?

If there is a security bug in passwd then effects would be quite limited.