I like sandboxing too, but what you just said gives a window into the problem: You don't want a program to be able to erase all your files, but you might want it to be able to create and edit files. So how do you express that clearly enough to become an automatically-enforcable security policy? Can a program only create files? Can a program create files, and only edit files it created? Can a program create files, and then edit and delete only the files it created?
Ignoring the technical details of implementing this, you still have a semantic gap between "I don't want my document editor running wild on my files" and something you can express unambiguously. The only way anyone seems to have come up with to close that gap is Popup Whack-A-Mole, which everyone seems to agree is a massive usability failure except everyone who's reinvented it.
Ignoring the technical details of implementing this, you still have a semantic gap between "I don't want my document editor running wild on my files" and something you can express unambiguously. The only way anyone seems to have come up with to close that gap is Popup Whack-A-Mole, which everyone seems to agree is a massive usability failure except everyone who's reinvented it.