[ngneer]

Awesome, thanks for the great analogy and explanation! What you are proposing is the compartmentalization approach, like sealing off areas of a ship or cordoning off a fire using walls (or fire trails in a forest). I am definitely a proponent of capability based security for tighter control over permissions and limiting the damage when things go wrong. The only problem with that is that some programs by definition MUST have access to user data and therefore by definition WOULD cause harm. So, for example, an email client needs network access and to upload attachments from the filesystem, in order to perform its function. Then, those same said permissions can be subverted. Tricky...

[mikewarot]

Capability Based Security is a much richer choice than the simple App Permissions you see on phones, it includes "powerboxes" which replace the Dialog Box your application calls with the same result... only the User picks the file, and the OS enforces the resulting selection (instead of trusting the app to do it)

As far as the user is concerned, it works the same way... but as far as we programmers are concerned, it now makes it impossible to get at files the user doesn't want the program to reach, in a very simple and transparent way.