Qemusystem vs Qemusession

Today I learned the difference between qemu:///system and qemu:///session.

The system libvirtd instance qemu:///system launches the vms using the unpriviliges use qemu. And can grant the vm selective access to root owned resources.
Access to qemu:///system is mediated using polkit and any user wanting to access it should provite the root password.
By default users in the libvirt group have access to libvirtd (the group can be changed in polkit config)
VMs are run as the default user qemu, and cannot access user files if the frontend application (virt-manager) is running another user.

The user daemon qemu:///session is auto-launched if it’s not already running. each user has his own qemu:///session seperated.
Most priviliges problems are related to networking use cases.
The default networking mode is the usermode networking (SLIRP) (ip stack in the user space).
Another option is to access bridged networking mode, through setuid script qemu-bridge-helper.