Comment by kristjank

OpenBSD exposes pledge() and unveil(), which allow programs to only access things they declare they need. So, even if the running SSH process gets exploited, it can't do anything the user it's running as can't do. sshd afaik runs as a root process which after authentication forks into another process, running as the target user.