Alan Bomberger provides the following analogy concerning the design of brakes for the trailers of trucks.
I started too late using an analogy that helps people understand the different approach.
I remember the days when default universal privilege seemed correct.
Universal privilege was the only way that people understood a computer running a program.
The word ‘privilege’ was not even in the computer vocabulary.
It was a great shock for some to imagine a physics program that could not merely write tape when it came to some point in the problem.
That was about 1959.
Things drifted to gradual limitation on what a program could do.
Unix was an early but not the first system to define limitations inspired partly by CTSS which subdivided a 7090 among users with the primary end of giving each the illusion of his own computer.
Privileges were very coarse then (and still).
Root access meant you could do just about anything.
Many programs were granted root access because of something they occasional needed to do.
Today there are too many programs on my Mac with root privilege; and there is little they cannot do.
When I try to install the new OCaml compiler the installer wants root privilege.
Current OS and KeyKOS compare similarly to Automobile brakes and Truck brakes.
Automobile brakes fail Off; the car cannot stop.
Truck brakes fail On; the truck cannot move.
So, any failure or bug in the Auto means that the Auto is unrestrained, while any failure
or bug in the Truck means that the truck is safe and restrained.
Current OS’s as you point out allow all privileges by default and tack on layers of code to restrict those privileges.
Any bug in those layers of code results in exposures.
KeyKOS allows no privileges by default and adds layers of code that define privileges.
Any bugs in those layers result in denial of privileges.