A worse problem is that the huge global authority required to install an application suffices to uninstall another, or worse, subtly ruin it. I shudder when I give one of the many programs designed to install apps on my Mac the authority to wipe our all my other apps, which is the least authority which works in Unix. Keykos had this problem but there is a simple solution that was not invented soon enough. Languages leave such logic up to the OS and the classic OS fails there.
Most languages have a compile phase during which many program properties are assured. This is very good; you insure type safety before the program begins to run. The OS survives for periods of time spanning the invention of new programs and so this pattern must be accommodated.
Keykos chose to go persistent; the system never shuts down. Upon power failure we recover from a checkpoint. Some criticize this decision but I have not seen a satisfactory solution for granting authority for periods of weeks, months and years. Long intervals are critical. How else is it remembered that I have access to that data segment? Keykos faced a problem of the history of a system that had run for years; what authority has been granted by those who have left, died or merely forgotten. There are proposals but no tested solutions.
You can rescind in capability systems, or at least most modern cap systems. Systems were built where some authority was not rescindable. Rust has recently pioneered in this important direction with ideas that we might need to steal.