Some context: https://groups.google.com/a/google.com/d/msgid/chromeos-security-core/CAKUbbxKXQns0yWOiA2CDtKiug8jJOCxn5R4EnrSLegqF-bM55g%40mail.gmail.com

"""
Why is openvpn running as root? You're mentioning it drops privileges internally? The source code suggests it can do set[ug]id() + chroot, but we're only making use of set[ug]id. Given the fact that openvpn doesn't require a lot of system access it might make sense to sprinkle some minijail into the invocation? It'd ideally run with only access to input and output pipes, crypto keys as needed and under a restrictive seccomp filter.
"""