DBus API allows manipulation by any outside app that requests access
Currently, any random application (running as the same user as the application exposing the a11y APIs, or as root) can open a connection and utilize the a11y APIs. For security reasons, we should find a way to tighten this. See the discussion at gtk!1120 Polkit might be useful here.