What does "Protection mode" mean for add-ons?

Hello everyone!

What does “protection mode” mean exactly in the context of a Home Assistant add-on running under the supervisor? I am trying to develop an add-on to access a DVB device.

If I set devices to /dev/dvb in my add-on manifest I can see the /dev/dvb/adapter0/* device nodes in my container, however TVHeadend doesn’t seem to pick them up.

I do not think it’s a user privilege issue as the daemon runs as root and should have access.

If I instead set full_access to true in my manifest and disable “protection mode” everything works properly, but I’d like to understand what exactly is “protection mode” to figure out what’s preventing it from working and come up with a configuration that gives it the minimum privileges it needs to run.

The documentation doesn’t seem very clear on this. What does “any rights on the system” include, and how does that interact with the various devices/usb/etc options in the manifest?