I'm building an application that allows you to send a file to your colleagues. That's hardly a revolutionary or unusual use case, and it definitely requires network access and full access to the local file system. I also need the ability to lock files, writing file locks anywhere on the system, and I need to be able to index the contents of files.
Not only are all of these functions and corresponding permissions completely standard for all kinds of applications, they belong to the core of what any system that calls itself an "operating system" should deliver to developers and end users.
You should definitely not run any apps that you don't trust. It's a no-brainer.
But in the end the file access issue is an operating system deficiency. They could offer more fine-grained access control but the common operating systems don't. It's ultimately a matter of user convenience.
Yeah, but Docker provides pretty good isolation if done right, it's a good start. MacOS sandbox is limited in functionality and poorly documented, but still looks promising.
The only problem is that nobody cares, so there's no evolutionary pressure for OS developers to make their products safer in the sense the applications are safe for user.
Not only are all of these functions and corresponding permissions completely standard for all kinds of applications, they belong to the core of what any system that calls itself an "operating system" should deliver to developers and end users.