Security boundaries are for more than intentionally bad apps, but things like bugs causing code execution or other ways of abusing their privileged position.
An app decoding complex untrusted media files from the internet? It should have the absolute minimum permissions.
That's not the problem Apple was trying to solve here.
I suppose I could see a system where every camera/screen recording access by QuickTime Player forces a popup, because you can't say whether it happened intentionally or due to opening a malicious video file, but that would have to be opt-in for sure.
An app decoding complex untrusted media files from the internet? It should have the absolute minimum permissions.