The idea of sandboxing software is not a new one, and probably my idea has been descussed, but I’ll put it out there anyway. It works like this. Current software is installed pretty much anywhere it wishes and has access to any part of your hard dive, all your files, and hardware. This allows it to the software to
- access your web browser history,
- possibly passwords.
- record any keystroke one your keyboard,
- turn on you mic and record every thing you say,
- turn on your webcam and record without you ever the wiser.
- It also has access to the Internet and can send any of this data anywhere.
- O ya and it can encrypt all your files, delete the originals and send you a message saying if you don’t send money, they wont let you access your files ever again. 
All of this has been done before in the past and many legitimate software still record and send out some of this data for ‘statistical’ purposes. A sandbox installs a piece of software in seperate area, and imaginary box, that isolates its self from direct access to the operating system, hard drive, etc. My proposal is this. modify the OS to sandbox any installed software, and durring installation or first run, have it pop-up an check-box window to show what you want it to have access to. It can list all the software’s requirements, optional, etc. Similar to you Google play apps displays what an installed app can do, but more complete and check boxes for yes/no access. This way you know what it can and cant do, and deny specific things. Examples.
- Output sound
- change volume contoll
- access mic
- access camera
- access full harddive, documents folder, home folder, or sandboxed folder in home or docs
- full screen access
- change display resolution
- access usb
- access net
- run in background
- a bunch more, but you get the idea.
So thats the idea.