Quick update: we had a really productive lunch with a bunch of Mozilla and Google peeps (cc'd)
After mulling this whole thing over, we're decided keep shadow trees traversable with a special provision for built-in HTML elements (UA shadow trees) to be non-traversable, per spec. We reached this conclusion after conducting a thought exercise of trying to gain entry into an imaginary private shadow tree, which exists in the same scripting context as the document, just using existing Web platform API -- as you may guess, it's not that difficult. However, to allow developers a degree of enforcing integrity of their shadow trees, we are going add a new mode, an equivalent of a "KEEP OUT" sign, if you will, which will makes a shadow tree non-traversable, effectively skipping over it in an element's shadow tree stack. We couldn't come up with a good name for this mode. "Private" conveys false expectations of being any sort of security primitive. "Hidden" is unclear in purpose. "Get-Off-My-Lawn" is perfect, but a touch too wordy. We will also pursue, as a second phase of Shadow DOM spec, a way to create shadow trees that exist in a separate scripting context and a separate document, but render as part of the main document. These will provide the necessary security guarantees and finally bring the candy trees and unicorns to the Web platform. :DG<