Programs don’t need protection from inadvertently sent capabilities largely because, for better or worse, programs do what they are programmed to do.

Programs that are untrusted are not given capabilities that they should not disperse or are confined so as to be unable to disperse the capabilities. Programs that are trusted must be debugged.

These arguments need development.