[acdha]

In general, I think that approach would need one other change to either prevent “core” resources (e.g. firmware, kernel, system binaries) from being modified or having a fail-safe way to reset those files back to a trusted base state. Otherwise it'll just hit the same problem where many users will approve any request described as necessary to run the free game/movies/porn/etc. and lose control of their computer.

This is basically what Apple shipped in OS X 10.11 where you can trust third-party developers but System Integrity Protection (https://support.apple.com/en-us/HT204899) tries to limit the damage that even getting root can cause.