I said that the problem was with the permissions being the same for all apps from a single user.
putting the cookie in one file and having all apps read it from that file would seem to match my criteria for a problem.
But there's nothing saying that you couldn't have a different cookie for each app, and then give different cookies different permissions.
this wouldn't be a matter of 'user this cookie for screenshots' type of thing, but a matter of 'application X was given cookie Y, application X is a screenshot app, so allow cookie Y to do screenshots'
Assuming apps do something sane and only read this cookie once at startup, you could replace the file they read it from with something that's an interface to an application that can use SCM_CREDENTIALS to find out what app is talking to it, and return different contents to different apps. You can then have that program either give a different cookie to every app, or make whatever policy decisions it wants about what cookies to give to different apps.