He said "things" not people.
With file based capabilities it's usually the case that you trust the intentions of the user,
and the programmer who wrote the code. But you're trying to limit the damage that processes
running this code can do to the rest of the system (which giving them enough power to do their
job) --- in the all-too-likely case that the program can be subverted in some way (buffer
overflow, printf error, stack overflow in regex parsing, et cetera, ad infinitum, ad nauseum)
Personally I still thing the cleanest most understandable way of accomplishing this sort of
goal has been the systrace patches by Niels Provos. They make perfect sense to anyone who has
ever had to deal with packet filtering and they are the only approach I've seen that would
allow a normal user to effectively limit behavior of software. (One could imagine a user
creating systrace configurations to prevent his or her browser from accessing specific
document trees and other files, for example. The implications of this are far more
significant than one realizes in an era when many of us are seriously considering locking our
browsers --- and perhaps our MTAs --- into their own virtual machines to protect the rest of
our home directories therefrom).