Users do want it at the point things go wrong. They want it in hindsight I guess. I don’t mind the Mac OS X way (I am not sure how good it is, but it feels good). I don’t see why not every app, in Linux or elsewhere, is not ran in a container and directories are mounted, network access is permitted etc by asking you. When I was forced to used windows (a long time ago), I installed something that alerted me of network access and default blocked it; just switching on the laptop and logging in would give me 10 ‘allow this?’ and that was not only to Microsoft owned domains. This was a while ago, so I cannot even imagine what happens when opening up windows 11.
Users do get annoyed, but on the other hand: I am willing to bet, if you check statistics, that 99% of browser (and most other apps) users access folders Pictures and Downloads (and maybe Documents) only, ever. As for urls, every tab must be another sandbox-in-sandbox and by far most of them never need the access to Pictures or Downloads or anything else. So you can surely ask without annoyance. Now a site using assets from another domain are mostly ads, so just block it all and allow manual unblock per domain.
I tried to use an application firewall on Windows and linux too. Fantastic software. However the reality of modern life is the worst offender is your web browser. I wasn't about to verify each destination IP so I ended up blanket allowing the binary. Fine. Then there's also a bunch of system processes on both operating systems that are overloaded. They do so many things using tiny system or kernel level binaries. In the end I disabled the software on both OS.
Users do get annoyed, but on the other hand: I am willing to bet, if you check statistics, that 99% of browser (and most other apps) users access folders Pictures and Downloads (and maybe Documents) only, ever. As for urls, every tab must be another sandbox-in-sandbox and by far most of them never need the access to Pictures or Downloads or anything else. So you can surely ask without annoyance. Now a site using assets from another domain are mostly ads, so just block it all and allow manual unblock per domain.