There is a definite attitude implicit in languages with scoped variable declarations: All references to the declared variable are within the syntactically manifest scope of the declaration. In many combinations of editor and language, the editor knows the scope rules and the programmer can see the region where the variable is meaningful in a fraction of a second. I no longer wish to imagine programming without such a facility.
Jonathan Rees's Security Kernel Based on the Lambda Calculus is predicated on applying just this sort of safety to general problems of computer security. The safety pattern works even for more elementary languages such as Actors where, depending on the dialect, syntactic nesting does not influence scopes.
Here are some comments on these issues: Uhtenwoldt sums up the security advantages of capabilities better than I have seen before. I quote from the mail:
Because I had been adversely conditioned by previous run-ins with anal cops, homeowners obsessed with burglars, nerds proud of having mastering vast amount of tedious Unix security arcana and people who are plain paranoid, my reaction to any talk that puts an unusually high stress on security tend to be to simply stop paying attention. Thus is never paid attention long enough to realize how cool cap is.Here is the context of these remarks.
What finally got me excited about cap (a month ago) was my realizing that cap techniques actually remove the obligation for the programmer to do much of the tedious thinking about security --and the resulting "combinatorial code explosion"-- that Unix and Java developers of secure apps are forced to do Specifically, Rees's 1995 paper illustrates this point via 3 or 4 very short examples (10 times shorter than the annoted eChat program and written in a language I already knew) of actual runnable Scheme code.