alt Hacker News> they want to move the permission management from Flatpak into the service layer, through a new service called systemd-appd. Systemd-appd gives applications an identifier and stores their permissions, and then this data can be queried by the rest of the system. In turn, this enables a slew of other features, not least of which is subsandboxing.
This is fantastic news! As I've argued here on HN many times over the years, proper permission management is probably the single most important piece that's been keeping us from sandboxing everything by default, like on Android and iOS.
Yeah, it sounds promising but far from simple in practice. :)
There were some early attempts in mobile Linux distros, like original Ubuntu Touch or even Nokias MeeGo and it turns out the main issue is actually improving security while not blocking whole categories of applications from working.
In the early Ubuntu Touch case I remember that you had to as a user allow your image viewer access to individual pictures from SD card, one by one, to see them in the app. This made it basically useless.
In the MeeGo use case IIRC third party chroot/shell environments like Termux were impossible due to the way their security/sandboxing system was setup. At the same time all apps had internet and microphone access & it was impossible to disallow it per app.