@emily i forgot about apparmor. never heard of UAC: "User Account Control"?

I think it's partly a UI problem insofar as communicating to end users what capabilities a given program needs, what even is a program (seriously: not all users will understand), what are the implications of not just one capability but certain subsets of capabilities, when do you even need to tell users about the capabilities vs ensuring they're secure on delivery...but I've quickly gotten into whole-system design because a lot of this, just trying to make the interface nice, you end up "putting lipstick on a pig", right?

I think that's part of what motivates "object capabilities" a la #spritelygoblins. I haven't taken the time to grok what they've actually achieved there and whether it solves any of those putative interface problems though