because nc(1) is only pledged for fork and exec when you explicitly supply something for it to exec?, otherwise it takes codepaths that do not grant that pledge permission.
Having something be capcicumized (?) and exec capable seems to be mutually exclusive.
This isn't about nc's pledge call, this is about the thing that might call nc. A shell that is prevented from calling socket or connect, but can exec nc, is still able to establish a network connection.
Having something be capcicumized (?) and exec capable seems to be mutually exclusive.