-------- Original Message --------

>> ... developer and application is best placed to decide how to restrict itself.
> On a similar note and paraphrasing: the *owner* of the hardware
> running Linux is the one best placed to *decide* what and how to
> restrict any applications running on their box.
>
> More so when it is a bloody desktop.
>
> I *do not* appreciate that my Linux (Devuan) installation runs EVM,
> SELinux, AppArmor and whatever other "security" application the
> packager (or whoever decides) fancies without my knowledge, approval
> or possibility of effectively opting out.

I don't think you understand how pledge and unveil work. Basically the program
starts with all privileges required. The developer says I know my app will never
need network so ask the kernel to drop that access. If you run a command line
tool in a folder. The dev might know it only opens i does it's stuff and exits
so ask the kernel to only give it access to that folder. IOW it can't break
unless the developer does not understand his app and it is hard coded into the
binary. It also doesn't restrict anything unless the binary requests it to.
There is no external sand boxing.