I wonder if there's a world where we run nearly all user programs in isolated (containerized) environments, with minimal access to persistent storage, etc. In many ways it seems weird that we let every program access everything that your user has access to, by default.

Android works like you describe, for the most part. It would be great to have such a permissions model on the desktop.

Android still has a global FS that programs can write to if they have the permission, in Fuschia there is no global FS, which is as sandboxed it gets.

try is written in posix shell, it's cowboy too.