I inquired upstream (https://github.com/dani-garcia/vaultwarden/discussions/4033) if adding pledge(2) and unveil(2) into Vaultwarden would be accepted, and they replied that it would so long as it was "self-contained". I am currently running Vaultwarden with SQLite on OpenBSD 7.4-stable on the amd64 platform that has integrated pledge and unveil using the priv_sep crate (https://crates.io/crates/priv_sep) I maintain. Anyway, there is much work to do this properly so that it works on both amd64 and aarch64 for the many "knobs" that exist in the .env file. If anyone is interested in helping with this endeavor, I'd appreciate it. Conversely, if this is something that is not worth it or desired; then I'll stick to running a locally maintained version.
