Applications running on the Vita are subject to restrictions based off of their authentication ids. Certain syscalls can only be called by applications that have permission to call it. For example, SceShell can make certain calls to install packages or mount file systems that games can't. Therefore an userland exploit is more valuable in a system application like CMA or SceShell because regular games and applications do not have access to many syscalls.
File System Sandbox
Most applications do not have the special authentication id to access files outside of their own sandboxed directory. Applications access their own resources through
app0, which is mounted to point to their own directory and is also mounted as read only (applications cannot modify their own resources). Certain virtual partitions can be accessed on demand as specified by the SDK. Some examples include
savedata0. However, there is no way to mount actual partitions like
ux0 (memory card).
Since 2.06, user shared libraries like SceLibKernel are loaded to randomized addresses. The randomization was later improved to be more random in 2.60.
Since 2.60, user applications (the main library) themselves can be compiled with ASLR support. Although not all games and applications choose to use this feature of the compiler, more and more are.
Syscall numbers are not statically assigned. On each boot, the same kernel module exports will have different syscall numbers. However, the delta between syscall exports from the same module are the same, so in theory if you can identify one syscall from a module, you can calculate all the other syscalls.
List of System Applications