Well, if it's a CLI based server I'd doubt X would be needed at all.

OpenBSD Amsterdam (A well known provider in the circle of OpenBSD users) doesn't enable X by default on its autoinstall file:

https://openbsd.amsterdam/setup.html

EDIT: It enables xbase.tgz but not the rest.

If you use sysupgrade, all sets will be installed, regardless of which sets were chosen during initial install.

They've even threatened to make just one big set since too many people are not installing all of them and then come ask for help .

https://marc.info/?t=156851721400002&r=1&w=2

Oh true, I forgot that. Still the bug is not remotely exploitable, but I always wanted to send Xlock to /dev/null and propose a patched slock as an alternative. If OpenBSD got evilwm/cwm in base, why not slock? If the problem is the lack of keypresses' feedback on the screen, that could be solved in a easy way.

Yeah, the "it's secure as long as you don't use it for anything" gets old.

Also, OpenBSD is pledging the usespace really fast, such as Firefox and Chrome, among unveil.

Even mgba got patched.

I woudn't call that as "don't use it for anything".

Why would you want X on a OpenBSD server?