There is a problem with this in both sorts of systems: we make mistakes. In both sorts of systems some actions were reversible but others were not. For some purposes there is a worse problem—forgotten actions. For Keykos there were ideas for software support for forgotten actions but no tested code.
Just now I was digging thru the Mac file /etc/apache2/httpd.conf which instructs the Apache web server how to run and what to do on your Mac. That file is made of directives. One directive is “Listen 80” which tells Apache to service http protocol requests arriving from Internet on port 80. This is not the cap way of doing things. Apache should be launched with a cap to listen and respond to port 80. Apache should not be concerned with the port it talks to the world over. There is an implication that it runs with the authority to talk on any port. Likewise “DocumentRoot "/Users/norm/cap-lore.com"” tells Apache what files to serve. “ServerRoot "/usr"” tells Apache where to keep operational notes.
All three of these should be capabilities. There are more. There is much code in Apache that decodes incoming potentially malicious http requests. Flaws in that code may deliver all of the excessive authority that Apache typically runs with.
Keykos came mostly before Internet but did support Tymnet. I imagine a Keykos endowed with Internet as including an object (WSC = web server creator) that obeyed an order to create an Apache with at least the above three capability parameters. It is not clear how the caller of WSC would acquire a cap to listen to a port. That difficulty is properly deferred to port management, a problem which Unix ignores.