The pragmatic reason is that the runtime should have more permissions than the code, eg in node require('fs') likely read files in system folders
The pragmatic reason is that the runtime should have more permissions than the code, eg in node require('fs') likely read files in system folders
Not necessarily, in selinux for example you would configure a domain for the "main process" which can transition into a lower permission domain for "app" code.