I'm having a hard time coming up with an example of a critically important vulnerability that relied on permissions models. Arbitrary code execution is usually game-over no matter what privilege level you have.
The exception to this is sandboxing, which is effective (but unreliable) in limited, specific scenarios but not at all effective for the general problem of controlling real, full-featured user programs. Compare the Chrome content sandboxes to the Apple application sandbox.
The exception to this is sandboxing, which is effective (but unreliable) in limited, specific scenarios but not at all effective for the general problem of controlling real, full-featured user programs. Compare the Chrome content sandboxes to the Apple application sandbox.