The ability to specify what files or folders a program should have access to (before or during runtime) is called Capability Based Security, or CabSec. It's as simple as deciding what ingredients to put in a blender to make a smoothie.... you never have to worry that the blender is going to pick new things to add.
When you run a paint program the OS should provide a secure way for you to chose which files it allows the program to access... and CabSec systems do this in a manner works the same for the user, it's called a PowerBox.
Windows, Linux, Apple all fail to provide this one essential feature. This makes all of them completely unsuitable for a world of mobile code and persistent internet connectivity. Systems do exist at the periphery of the hacking world which offer hope, but they don't get much love. Genode and Hurd are at the top of my list these days.
The ability to limit the scope of change caused by a program is a fundamental part of mainframe operating systems... but its actually a side effect, and not a grand design feature. VMware and other virtualization systems also serve as ersatz CabSec systems because the system requires the specification of virtual disks to be used to run a virtual machine... thus the changes can be limited in a manner similar to our old 2 floppy disk dos machines.
CabSec brings back freedom.... we need to make it a reality... any help getting this concept pushed out into the mindspace of the programming community would be greatly appreciated.