I agree that third party applications shouldn't be given carte blanche by default. Third parties are best assumed to not be well-behaved, because it's been proven many times over that devs can't be trusted to keep their hands out of the cookie jar and to follow best practices (which I say as a dev myself).

The extent of moddability and control afforded by Mac OS 9 extensions with their ability to patch the OS itself in memory as they pleased was incredible, but it was ridiculously insecure and unstable which makes that model untenable today. Applications having full access to everything is no different.

> but I also don't want that cool calculator application I just downloaded have access to the network, my webcam or microphone, my photos, email, or really any files outside of the ones in its directory.

I think that the way to do should be capability-based security with proxy capabilities, and that can be controlled directly by end users. (The existing ways (user accounts, existing sandboxing systems, etc) have many problems, in my opinion)

However, I think this HelloSystem is based on BSD so it would use POSIX. (EDIT: Now I found apparently FreeBSD has a capability mode too, so maybe it can use capabilities.)

Can't agree. The solution to this problem historically was to only download a shiny new calculator app from trusted sources. So only official builds of open-source or software made by reputable software companies. Too limiting for many people though, in particular techies.