[mcpherrinm]

These type of restrictions are exactly what Linux's AppArmor (as well as SELinux, etc) do.

I'm not sure what profile Firefox runs under, but what you suggested would be quite reasonable, though maybe not as default -- You probably want to be able to "save as" to an arbitrary directory, and open files for upload from anywhere too. Though since both of those involve a user dialog, that could easily be a secondary application with its own profile that uses IPC/shared memory/something to pass data to the browser. Smaller target attack area.