Regarding apparmor/selinux, who creates/audits those profiles to make sure each application only has access to exactly the libraries it needs? It probably defeats the purpose if it's the app authors. Similarly, who validates that these profiles don't break functionality for any device/os version? I could see this being an option for power users who are willing to collaborate on creating the profiles and deal with fixing the occasional incomplete profile. I'm not sure how feasible it'd be as a solution for your typical user though.