Exactly. First of all, I'd like to be in control of sandboxing. Secondly, and this is just my dream, I'd love sandboxing to be designed to allow me as a user to easily pierce it, so that I could e.g. augment a sandboxed app with my own code if I don't like how it does something.
Unfortunately, the nature of the world is such that if you allow users to control sandboxing, the next wave of attacks will come from applications that kindly ask users to disable the sandbox because of $reasons.
> Unfortunately, the nature of the world is such that if you allow users to control sandboxing, the next wave of attacks will come from applications that kindly ask users to disable the sandbox because of $reasons.
You can make the best locks in the world and it's all for nothing if every time an attacker knocks on the door the user opens it up and lets them in, but the solution can't be to weld shut every door.
Security commonly fails at UX. We could do better.
But at some point, if you ask the user "should this app access your private information" and the user says yes, that's what needs to happen, and the user needs to learn when to say no.
Do not make it easy to disable the sandbox, but keep the user in control.
Linux evades a huge amount of virus and phishing just because you have to `chmod +x` stuff before running, for example. A "Software wants to do nasty stuff. Allow | Disallow" prompt just does not make it.
Also, users will want to piece the sandbox some times, do not make it an all or nothing situation. Make giving common permissions easy, rare permission hard, and give fine grained control over them.
Unfortunately, the nature of the world is such that if you allow users to control sandboxing, the next wave of attacks will come from applications that kindly ask users to disable the sandbox because of $reasons.