Seriously, just restrict it to signed applications unless debugging mode is active. With explicit permission from the user.
/e/OS already exists and can even be bought preinstalled on Fairphone.
Seriously, just restrict it to signed applications unless debugging mode is active. With explicit permission from the user.