Let me preface this by saying it is wildly impractical, but you could boot into a separate, minimal OS that mounts your primary OS disk and manages those permissions.

For an extra layer, have the “god mode OS” installed on physically read-only media, and mount the primary OS in a no-exec mode.

Regular OS can’t modify permissions, and the thing that can modify permissions can’t be modified.

It’s too clunky for home use, but could probably be used for things like VM images (where the “god mode OS” is the image builder, and changing permissions would require rebuilding the image and redeploying).

>then the private key of this digital signature is a "god object"

You could instead require the app to be part of the OS. The next gotcha would from you I imagine is that the build farm for the next OS update is a god object and at that point I think this is a meaningless tangent. I'll concede and say you have to trust your OS creator. But you always have to trust your OS creator for any OS.

>then you basically have passwordless sudo

If sudo couldn't be used from other programs / she'll scripts and doesn't give access to a god account, but instead did simple things like let you use ping, then that seems fine to me. But why require people to manually wrap programs when it could be handled automatically.

>Either way, there is some source of authority in here

Sure, but it's a system that's much better than sudo.