Comment by loup-vaillant

> In short the integrity of the application must be secured. This integrity must be protected from everyone. Nothing should be able to violate the integrity of the app.

I’m getting a strong sense that you don’t know what you’re talking about. "Everyone" for instance doesn’t include the app vendor. You want to allow updates, right?

> Most users do not want this ability

Again with the ambiguous wording. What do you mean exactly? That >50% of users don’t care about having this ability, or that >50% of users explicitly reject this ability?

In my experience, most users think they don’t care, until they need to run an app that’s not on the main app store. Easy example: skip YouTube ads. On Android, you jumps a few hoops, install Newpipe or Tubular, and voilà, no more ads. But I’ve met several iPhone users who wanted the same, and were quite dejected when they realised they couldn’t have it.

Of course, the idea that most users explicitly reject the ability to bypass security measures is utterly ridiculous.

> Allowing end users to turn off security features is not a good idea.

Not that I’m not talking about flipping a switch that would end all process isolation. I’m talking giving permission to one app to mess with one other app. Secure by default with fine grained permissions, not "please revert to Windows 98 with zero memory protection".

> Users should not have to think about such things.

They have to anyway. Where their credentials are, what if they break their computer, lose their phone, their data gets leaked…