The model I had in mind was for the proxy to define a VNC extension that
allows the client to query what 'desktops' are available and request
switching between them at any time. The list of desktop would of course
be authorized per client, and strong authentication is a must for this.
Any time a switch was made, the RFB protocol would return to the
'ServerInit' state. The idea is that you should not assume a homogenous
environment, and you really don't want to fall down to the lowest common
denominator of extensions, nor have the proxy doing re-encoding on the FB
data updates. Returning to the ServerInit state allowing the client to
re-negotiate the set of encodings for the new desktop, and so the proxy
can be fairly stateless and while needing to understand the wire protocol,
it can just pass through the actual FB update data unchanged.
The combo of the an extension for switching desktops on the fly and the
encryption state problem doesn't really seem to fit with passing the VNC
FD over with SCM_RIGHTS.