Can someone explain to my why fragmenting the "system" directories into multiple file systems improves security, with perhaps the exception of /tmp and /var/spool being on a separate file system?
If someone manages to get onto the system as a normal user (or already is a normal user), then normal access control should prevent them from doing anything harmful, other than perform a denial-of-service attack by overusing shared disk space that they can write to (perhaps indirectly), which is the /tmp directory, and the spool directories for outgoing mail and print jobs.
If someone manages to become root, then no partitioning scheme will help anyhow, as they can simply do a dd if=/dev/zero of=/dev/adaxx, and be done with this machine and all its file systems.
I see the real purpose of segregating file systems in preventing snafus (mostly inadvertent, don't ascribe to malice what can be explained by incompetence) due to running out of disk space. For example, on my home machine I run mt-daapd (the iTunes music server), which has the nasty habit of logging an insane amount to /var/log, and I need to frequently trim its logs to prevent it from running the system into the ground. But the correct solution for this problem would be a quota system, for example using ZFS.
On a performance-oriented system, there may be other good reasons to partition file system, for example put file systems that have mostly small IO reads onto SSD, ones that mostly have large sequential writes and appends onto fast spinning disks (unless they call fsync all the time, in which case you may want a log- or journal-based solution using SSDs for the small writes), and rarely accessed capacity-bound file systems onto high-capacity disks. But I think most home systems and small commercial servers don't have that kind of performance need on their system directories (excluding /home and the directories for servers, such as NFS, CIFS, database, web).
Personally, I still partition my root disk, but that's mostly force of habit.
