If we're talking about sandboxing, then macOS has that too. Apps installed through the MAS have specific sandboxes they can play in and require permission for the others.
That’s for all apps, but only for specific parts of the filesystem, so there’s still plenty of room for apps to cause havoc by messing with everything else.
This is separate from the older sandboxing feature that’s designed to fully isolate apps from the rest of the system, which is mandatory for Mac App Store apps but opt-in for other apps.
Sandboxing is one of the pain points of Mac App Store. I certainly would like to see sandboxing being more prevalent on the desktop, but not like the MAS way. The user should have the final say of the way in which a sandbox allows and restricts the application. Just for example, I should be able to completely trust an app with access to the filesystem, not with all the popups and confirmations, while disallowing network access from it.
Sandboxing is extremely hard to get right. It's even harder to retrofit it into an existing system, because so many programs exist that just store files wherever they feel like, and you don't want the new OS to break all the old programs. And if the OS provides a "legacy program" mode, malicious apps will just use that.
In addition to files, sandboxing has to protect against capturing screen pixels, getting keyboard events, doing network or device IO, inspecting the cut&paste buffer, and hundreds more things, all of which some apps have legitimate reasons to do. So the matrix of permissions gets very large.
this is essentially how the sandbox works on macos from what I understand. 90% of applications should work fine for this. Some though like antivirus (as an example) can't really do so.
MacOS manages to implement all those things while having sandboxing. Though at the expense of many popups (program X wants to do Y) right now. Maybe not the perfect solution either but it is not an unreasonable thing to ask for IMO.
macOS already has a sandbox. In practice many sandboxed apps can't actually write to /Library or ~/Library. They write to a sandboxed directory that pretends to be ~/Library further containing directories like ~/Library/Application Support. The real path of that directory is generally under ~/Library/Containers.
Now for obvious reasons Apple cannot force all macOS apps to be sandboxed. It was already a PR hit when they required Mac App Store apps to be sandboxed.
Also, sandboxing is designed to prevent unfettered filesystem access on macOS, meaning this isn’t part of the threat model if all apps are sandboxed and packaged.
Thanks. I've been chewing on your reply. I didn't get very far. It finally occurs to me that macOS (or equiv) could implement iOS (or equiv) style sandboxing. Maybe that's already in progress. As a dev and former power user, I'm sure it'll be uncomfortable.
reply