A capability boundary should be visible in the code. If it only exists as policy, it will eventually be bypassed by convenience.
A capability boundary should be visible in the code. If it only exists as policy, it will eventually be bypassed by convenience.