Comment by naikrovek

> The fact that tools like docker, podman and bubblewrap exist and work points out that the OS supports it

Only via virtualization in the case of MacOS. Somehow, even windows has native container support these days.

A much more secure system can be made I assure you. Availability is important, but an NPM package being able to scan every attached disk in its post-installation script and capture any clear text credentials it finds is crossing the line. This isn’t going to stop with NPM, either.

One can have availability and sensible isolation by default. Why we haven’t chosen to do this is beyond me. How many people need to get ransomwared because the OS lets some crappy piece of junk encrypt files it should not even be able to see without prompting the user?