I disagree. We already have this to some extent.

Do you enjoy going through all of the dialogs and what not to run an application today? Consider all of the switches and opt-outs going on on a smart phone today.

"X wants to do X, Y, Z, Q, E, D, A, B, C on your device. Is that ok?"

Do you think users are going to say no? They want to run the software. The software is an all or nothing affair. "Use our software, we only ask for 'X, Y, Z, Q, E, D, A, B', unlike those other guys". Think that happens much? I don't think the companies are competing at that level, because the more they DON'T do, the less services they can provide.

The litany of dialogs and options and managing all that sends the cognitive load of using the device on an exponential spiral.

Most folks habitually click through those alerts. "Yes, I agree to the 1000 word, 4pt font, unread license. Yes, you can track my location, YES! You can have my contacts, Gee wilickers I just want to PRINT A PHOTO!!11!".

It is exhausting!

It's a false sense of control. "Well, sure you can turn all of that off...but then what? Guess you didn't want those tickets to that concert then, did you?"

The action, unfortunately, has to be regulatory, and I don't see how that can be practical either without vast loophole as we've seen with the cookie banner hell we live with today.

>"X wants to do X, Y, Z, Q, E, D, A, B, C on your device. Is that ok?"

That's NOT capability based security. (Like Java/Javascript, there's confusion)

In a capability based system you use a power box (a system supplied dialog box) to select files for a program to operate on, just like users do already with file select dialog boxes. It's just that the program ONLY gets capability to operate those files and nothing else. There's no complicated flags or anything like that to mess with.

You pick the photo to print and the printer to send it to and you're done.

General purpose hardware that's been artificially castrated by software? Is that really a good way to fight walled gardens?

Depends on who controls the capability granting. Which at the end of the day feels a lot like ACL just with functionality based controls instead of file based (with some functional bits bolted on the side).

It's not just like ACLs, though. An ACL is like permissions into a vault.

Capabilities are like taking a $10 bill out of your wallet to pay for a coffee, the most you can lose is the capability ($10 bill) you deployed in the transaction, you can't somehow lose your entire bank balance.

Another analogy is that of a circuit breaker. No matter what, it protects the wires in your house from overcurrent. You never have to worry about accidentally taking down the power grid when you plug in a toaster.