Most services on a Linux VPS run with far more power than they need. A web app that only has to read its own files and listen on a port often runs able to write anywhere on the filesystem, see every other process's temp files, and acquire new privileges at will. If that service is ever compromised, all of that latent …