> On the other hand, I cannot see how this approach can be scaled to something like a personal computer.

Personally I think the biggest challenge is UX. The systems engineering is good, and it works just fine.

> For other programs that I run, I may want to let them access most or all files in certain file systems. Any file system that I use contains typically many millions of files. Therefore it is obvious that using one capability per file is not acceptable.

Yeah, of course! Just make a capability representing the containing directory or filesystem. Then the program is free to open and browse files within that directory, but nothing outside of it.

I agree with others in this thread. Think of the capability like a bearer token. You wouldn't make a token per file. Just make one for the directory.