Apps ship with source. To let you run without reading the source, apps run without any privileges by default. No files, no network.

You can grant broad privileges to a single function after reading just its source.

The issue: functions can be over-ridden, so you end up accidentally granting privileges to malicious nooks and crannies.

I need to go back to app-level permissions. Grant narrow privileges to the whole app, without regard to what function uses them.

A concrete use case for permissions by caller (now removed from Teliva)

By its nature, a file browser can list directory contents and open files all over the computer. How could we convince ourselves that it's only using these privileges to meet our requests?

My old solution: app is written in such a way that someone can grant these privileges to a single function after convincing themselves it opens a single file/directory every time the Enter key is pressed.

Now I need something new..

Comments gratefully appreciated. Please send them to me by any method of your choice and I'll include them here.