Comment by eridius

This capability system is exactly how OS X's built-in sandbox works. Sandboxed apps don't have unrestricted access to the filesystem, but if they invoke the system-provided Open dialog, and the user selects a file, the application is granted access to that file (which it can persist, so it can continue to access that file in the future).