"if you're looking for per-application namespacing, things get a lot more complicated. for user-defined namespacing, you run into all the classical security issues of what happens when a user runs a setuid binary inside a specially-crafted chroot jail. on the application level, you are interested in a lot more than just broad filesystem privileges; saying that Firefox is limited to read-only access to everything but its own cache directory sounds nice at first, but then you realize that people like to be able to download and save stuff from the Web, and they may well want to be able to save directly to anywhere in $HOME and not just ~/Downloads... so at best you're back to the per-user namespace/jail setup."
So instead you make a 'file system access' daemon which works in a separate process and exposes 'Show Filesystem Dialog and return a file handle' function. Like Chrome does, for example.