I think that it was Maurice Wilkes who said “capabilities are slippery little things; you can never tell where they are going to get to.” I think that that is at the crux of understanding (or not) capability discipline. It depends on where you stand. Some (people and programs) may be unable to tell, but those with the proper authority, incentives, responsibilities and tools are able to tell, at least if they take appropriate and feasible precautions. There is a gamut of cases to consider but the simplest is important and easy to understand; it is the starting point for the rest. In Keykos a 4K memory page is an object in that a key to the page is necessary and sufficient to directly access the content of that page. A particular page key is typically manipulated only by a segment keeper who gets the key from the bank and places it in a segment node to which the keeper holds the sole key. One need not read much code to see that this is so.
Some programs must call on other programs in other (protection) domains and must temporarily trust the other program with some key. The other program must be specified not to convey the capability further and must either: