"This program is asking for extended permissions. It's asking:
File permissions: Read, write, and modify"
Now, is this because it allows me to select a custom avatar from the files on my device and save it after cropping it in the app? Or is it because it's going to check all my files and upload the really juicy ones to Scary Hacker Doods and change my name in all my documents to "Ima Dichwied"? I dunno! I have no way of knowing! Gosh, I guess I'll just figure out if I trust the app or not and click "sure" if I do, which means I'm in the exact same boat I'd be in before the permission prompt addicts came into vogue, except with the added annoyance of a popup (and occasionally an app which then needs to be restarted because the initial lack of access threw it into an unexpected state). This does not benefit me. It does not make my device safer. It does not make me feel safer. It does not make my experience more pleasurable. It will never do any of those things. It only serves to slightly raise my baseline level of annoyance.
And I'm someone who (sometimes) knows what I'm doing! It's even worse for people who aren't tech-savvy! The Joe Sixpack user class has split into two camps, one of which is mindlessly clicking "YES I want to run it, YES it can make changes, YES I'm sure, YES the .msi called by the .exe can also run and make changes, YES I want the free 30-day trial of Pro Premium Plus edition, YES I consent to automatic billing on day 31, YES install the browser toolbar, YES let's play Global Thermonuclear War!" because they're, surprise surprise, completely desensitized to warning prompts thanks to the over-proliferation of nattering popup nonsense, and the other of which is thrown into a state of catatonic call-a-geek terror because their GPS app is asking for permission to view their location.
I think I agree with your general point, but I have to point out that the correct solution - implemented by Flatpak, Android, and I believe macOS and iOS - is that selecting an avatar should use a file picker that only hands the app access to what it needs, and a request for full filesystem access is a red flag.
Yes, but now I have to contort my file organization around the preferences of the machine, which is completely backwards to how the user:device relationship should be. My files belong where I feel they belong, optimized for the idiosyncratic and individualized workflow that works for me.
And of course, it kinda also doesn't change much, since (assuming I've learned to give in and submit to Moloch's $HOME) now all my documents are in the siloed "these documents can be accessed by apps" area, still just as ripe for upload to Scary Hacker Dudes or CTRL-H shenanigans. Giving the app access only to its own personal directory would make the hypothetical avatar feature impossible (well, possible only through exiting out, opening gallery, finding a suitable image, manually copying that image over to the app's personal directory... and all that on mobile... yeugh), as well as a whole lot of other features we (should) take for granted.
So in the end, we still have the initial pointlessness, we've just sprinkled in a fair amount of annoyance on top.
Er, no? To select an avatar, the app triggers a file picker, you navigate anywhere in the filesystem and pick a file, and the system hands the app just that file with no access to anything else.
In the case where you want an app to have persistent access to a directory, it's true that the easiest way is to use the normal filesystem layout and then take the default mappings, but at least with flatpak you can tell it to map in arbitrary different directories and then use them just fine (ex. I've used this to give Steam storage on external disks).
These features are effective when used, and while they can have inconveniences, those rough edges can be rounded off by customizing the protections (while still protecting most of the system).
Oh, yeah, duh. Sorry about that. The file picker route is generally fine*, though I still think the edge cases where I want a program to be able to modify another program's files in-place are numerous enough that I don't think it should become a "soft-standard" on desktop environments.
*As long as it isn't GTK browser on Windows, which absolutely should be a U.N. matter.
No... besides the concerns about creating a proprietary walled garden, that just causes prompt fatigue and they will allow anyway, creating the same problem again and further irritating users.
On desktop there could be ways added to sidestep them, eg. defined in bulk in a processname.permissions file somewhere protected.