> The "private files" thing can be bypassed (using the "same uid" on the manifest, or setting up doc sharing between the apps).
Yes, there are issues with Android, but at least it is base architecture is sound and does allow to run untrusted or unverified code while common Linux distributions is in worse shape now in that area than Windows 8.
> And it's not really practical in a desktop/laptop (or in a more "complete" tablet):
It is a matter of proper GUI. I am typing this in a VM running on qubes-os.org which allows a secure way to share files between VMs. There are some annoyances, but they comes from the fact that the only IMO reasonable way to isolate the current desktop Linux apps is to put them into separate VMs. That of cause wastes a lot of resources and requires high-end laptop. It would be nice to have the security without the need for VMs, but I just do not see how with the current desktop API this is feasible.
> it's perfectly possible to replicate the "one uid per app/set of apps" thing on desktop linux.
Yet this is not available now while Android is around for over 5 years. So I do not see as useful all those efforts to optimize desktop Linux model for tablets rather than fix Android to allow to run the desktop Linux apps without breaking the sandbox.