This is a problem but fwiw libc's should be falling back to old system calls. You can block clone3 today and see that your libc will fall back to clone.
Yeah. But it still means wandering into de facto unsupported territory in a way that pledge/unveil/landlock does not.
Your example may be true, but I'm guessing it's not a guarantee. Not to mention if one wants to be portable to musl or cosmopolitan libc. The others inherently are more likely to work in a way that any libc would be "unsurprised" by.
Yeah for sure, it's a real issue. In general, seccomp feels hard to use unless you own your stack top to bottom.