Data remanence is a really hard problem. Are you sure this lives up to your claims that "the file is completely deleted without a trace"? How are you storing them? Do they ever hit e.g. an SSD in plaintext?
That's not really what the confused deputy problem is about.
Instead, a confused deputy has too much authority, and is being asked to "switch hats" and pretend to have the authority of a user/caller.
Confused deputies arise because they don't have a clear picture of what the authority of the user/caller actually is, and accidentally expose some authority that the user/caller wasn't supposed to have.
Capabilities let you model this authority as a first-class principle.
In principle that's true, but let's consider something like auto run when inseting a USB or CD etc. When auto run means full user permissions to run any program that's a huge security issue. If on the other hand auto run is specifically a dialog box based on the device format that's a much smaller security issue.
The point being if you give an app permission to add a charge to a bill and only add a charge to a bill then the fact a user can increase there bill in an arbitrary fashion is still a problem, but it's a smaller one than letting them delete all charges.
This is one of the things I've always liked about JRuby. You can use the excellent tooling of the JVM ecosystem (e.g. YourKit, Coverity Dynamic Analyzer) to understand the behavior of your JRuby applications, and even attach directly to running production apps to debug them.
I've found tools like this essential for debugging multithreaded JRuby applications, and there's simply nothing else like them available for MRI.