From the otherwise minimally valuable Slashdot comment thread on my Mac App Store post, a very insightful comment from Slashdot user “dgatwood”:
The UNIX security model sucks. It assumes that attacks come from the outside, and is designed to protect the user from other users on the same system. In the UNIX model, everything run by a particular user has the same rights as the user. In practice, that just isn’t a viable security model anymore. […]
A modern security model must be fundamentally built on the principle of distrust. Distrust everything. Any app could potentially become malicious at any time, whether because the app developer put in a backdoor or because somebody exploited a buffer overflow. It is, therefore, the responsibility of the operating system to not only protect the user from other users on the system, but also from flaws in other applications being run by the same user.
He’s right. (I wasn’t arguing against sandboxing.)