Lots of amazing ideas here! One more that would be great is 'sandboxing' if a program can use network/filesystem/etc, then I would feel safe to run any random scrap if I knew I would get some sort of oauth-looking screen that said what it wanted to access.