> It's not only notifications, it's permissions (that the app won't work until you accept) to track your location, exfiltrate your contact list, and so forth.
My idea of an operating system design (it is intended for desktop and laptop computers, but a variant could also be possible for smartphones and stuff if wanted), that all I/O (including determining the current date and time) must use capabilities (and can be proxy capabilities). The built-in programming language allows users to define new proxy capabilities and configure existing ones, and the C programming language can also be used. This can avoid such invasion of privacy but also is useful for other purposes, e.g. for testing, or to allow programs that expect a camera to work even if you do not have a camera, or to filter or redirect notifications, etc. Therefore, permissions can be as fine and as faked as you intend it to be. And, furthermore, the standard package manager would exclude programs that are designed to be invasion of privacy and other antifeatures like that (users can still install them manually, and the security features of the system still ensure that it would protect against many kind of malware and misfeatures).
> It should not be required to, e.g., order food at a restaurant or configure your headphones.
You shouldn't need a app or a web browser to do either of those things anyways.
I am sorry if I am being unclear. I will try to answer your questions.
> Time and date are not I/O.
In my system, they are. Anything except deterministic operations on the program's own memory is considered I/O.
> What does capability mean to you?
"Capability" refers to capability-based security. For a program to do any I/O, it must be given an object called a "capability" (which is similar than, but different than, a "file descriptor" in UNIX). There is no ambient authority; to open a file you must already be given a capability to open a file, etc. Capabilities can also be used to give someone else an additional capability.
A "proxy capability" is a capability that a program makes up itself, which can be used to pass messages between itself and another program that the proxy capability is given to. Programs cannot distinguish between a proxy capability and any other capability, therefore ensuring that anything that an application program would know from outside of itself can be overridden by the user. So, if a program wants to track your location, a proxy capability can be used to give fake location data (this is useful for testing as well, and also for other purposes e.g. if your computer cannot determine your location but you want to specify it anyways).
> How exactly does the inclusion of C avoid invasion of privacy?
Avoiding invasion of privacy is independent of what programming language is used.
My idea of an operating system design (it is intended for desktop and laptop computers, but a variant could also be possible for smartphones and stuff if wanted), that all I/O (including determining the current date and time) must use capabilities (and can be proxy capabilities). The built-in programming language allows users to define new proxy capabilities and configure existing ones, and the C programming language can also be used. This can avoid such invasion of privacy but also is useful for other purposes, e.g. for testing, or to allow programs that expect a camera to work even if you do not have a camera, or to filter or redirect notifications, etc. Therefore, permissions can be as fine and as faked as you intend it to be. And, furthermore, the standard package manager would exclude programs that are designed to be invasion of privacy and other antifeatures like that (users can still install them manually, and the security features of the system still ensure that it would protect against many kind of malware and misfeatures).
> It should not be required to, e.g., order food at a restaurant or configure your headphones.
You shouldn't need a app or a web browser to do either of those things anyways.