The global mode does work if you want to monitor everything, system-wide, but it is too broad-scope if you just want to monitor, say, $HOME. Or /var/www/databases. Etc., you get the idea. There are many good reasons to monitor everything below a particular directory. Especially on multi-user systems. An off the wall example: Recursively monitoring changes below $PWD would be useful for speeding up programs like Make and Git between invocations. Recursively monitoring $HOME is appropriate for personal indexers on multi-user systems.
So the obvious thing to do is improve inotify to provide recursive notifications, instead of Yet Another API to a slightly different mix of the same features. IN_RECURSIVE: "notify this directory of events occuring on any path below the directory, not just immediately below the directory". There you go. Making it efficient is left as an exercise :-) (hint: lazily propagate flags up and down the dentry tree)
That's notifications. The other part is blocking operations on files - the filtering part. We already have a mechanism for that, too: leases. The F_SETLEASE API is clearly not suitable, but the underlying lease mechanism is close. Suggestion: return a leased file descriptor alongside an inotify event if IN_LEASE_* flags are set. Use F_SETLEASE or something like it to release a lease, granting or denying permission.
In it's present form it is sure to be rejected due to the very strange and unnecessary API, and it which looks like it was written by people who did not read the history of inotify's inclusion into the kernel. inotify has it's own system calls because the original version was rejected on l-k, and told to use system calls because it's not a device or socket.
As a small incremental change to inotify, it's much more likely to be accepted, and it's also much more likely to be useful for applications you haven't thought of.
There might still be a reason to add a netlink socket API as well (though I can't think of one), but if so it should be a general addition to inotify, not a complete replacement which happens to be like inotify in some ways and different in others.
We already have F_NOTIFY, inotify and F_SETLEASE. We don't need yet another slightly different but nearly the same thing, which happens to be useful for a tiny set of applications but still very limited in arbitrary ways, when a little incremental improvement to inotify would be both cleaner and useful for a lot more applications.
Don't get me wrong, inotify has flaws, but together with leases, it's not far off what the fanotify-using applications need. I strongly advocate fixing them, rather than starting again.