Comment by staticassertion

> - How does this help with malware? I want to craft an environment where any program trying to read f.ex. anything inside ~/.ssh is automatically denied. I don't want a malicious build script to exfiltrate all my sensitive data!

Your package manager would specify a policy that only allows specific access by build scripts. Or you'd use a wrapper.

> - It seems that this software is well-positioned for us to write application launchers with, is that true? If so, well, I like the idea but it seems too manual.

It could be. It's for anyone who knows what their program does, basically.