[nickpsecurity]

In that case, you need process isolation and permissions not user privileges. Prior models for mandatory, access control and capability-based security can already do what you're describing. KeyKOS did it in production on mainframes decades ago with extra benefit of persistence for app data. System/38 did one of those models, too, at CPU level. Later became AS/400 and IBM i. AS/400's run and run and run.

So, if you want POLA and damage containment, one option is imitating old designs that pulled that off. Patents expired, too. ;)

[laumars]

Oh I'm fully aware there are a thousand different ways to accomplish similar results. Further to your point, you can also support multiple physical users without actually running a multi-user system as well (eg Windows 95).

However you have to bare in mind that this tangent did start off as an exercise in generalisations so I was following on from that by pointing out that many current multi-user systems also use user accounts as a tool for reducing the exposure a process has. While you'd obviously agree that it's a long way from being the most secure method of hardening a OS, it is still a pretty typical way for many desktop systems to operate.