@iska @marine @teratology @amanda

> scopes/environments are cleaner than filesystems,

If you think of it as something like FUSE, then yes, filesystems are terrible for this.

But it's just a notation, like using memory addresses or system calls or variables. So if the system is built around filesystems being the means of accessing objects and if it's granular enough that individual threads in the same process can discard permissions, and you can enforce this by just removing part of the namespace before starting a program, then no, not remotely, filesystems are great for this.

Say you want, by default, to only provide framebuffer access to the children of the processes of the user that is sitting at the machine. You can do that by only letting one process have access to it, and then that process provides an interface to it, that interface is a filesystem, and mounts are inherited only by child processes, so it's about as secure as a local variable. You wanna export it, you wanna provide its contents to the entire internet, you can do that (without requiring that UID 0 mediate access).

> more efficient as checks and lookups only have to be done at compile time.

Oh, if you're talking about how OpenBSD does it, that's cool. The only issue is that you can't do it for interpreters, and it's all kinda retrofitted onto POSIX but is itself not part of POSIX. I like what Theo did but there's a lot you can do if you discard compatibility rather than just poking some holes in it.