[yjftsjthsd-h]

Er, no? To select an avatar, the app triggers a file picker, you navigate anywhere in the filesystem and pick a file, and the system hands the app just that file with no access to anything else.

In the case where you want an app to have persistent access to a directory, it's true that the easiest way is to use the normal filesystem layout and then take the default mappings, but at least with flatpak you can tell it to map in arbitrary different directories and then use them just fine (ex. I've used this to give Steam storage on external disks).

These features are effective when used, and while they can have inconveniences, those rough edges can be rounded off by customizing the protections (while still protecting most of the system).

[MyPasswordSucks]

Oh, yeah, duh. Sorry about that. The file picker route is generally fine*, though I still think the edge cases where I want a program to be able to modify another program's files in-place are numerous enough that I don't think it should become a "soft-standard" on desktop environments.

*As long as it isn't GTK browser on Windows, which absolutely should be a U.N. matter.