Some more exploit vectors from the FD list: https://seclists.org/fulldisclosure/2020/Nov/13
Partial results: 1. mutt (text email client) exposes ~/.mutt/muttrc, which might contain the imap password in plaintext. 2. Some time ago on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin. 3. Anything created by EDITOR NEWFILE is readable, unless the directory prevents. This include root doing EDITOR /etc/NEWFILE
