Is it possible to provide a sandboxed application with minimal permissions by default, but extend these with additional permissions that enable extended functionality when the user chooses and confirms this?
More specifically, I would like to give a file-utility application file-read permissions by default. However, I would like the application to obtain additional write-permissions when the user wants this. For example, the user could initiate such a change from the application's user preferences, e.g. by ticking the application-specific "Enable file deletion" option. The application would then forward this request to the OS, which lets the user confirm this, e.g. via a confirmation dialog "Do you want to grant file write-access to the 'FooFileUtility' application?". When the user confirms, the OS adapts the entitlements accordingly, and the application can offer the user the requested delete functionality.
Context: I am developer of a file-utility application whose main function is to give the user a visual overview of the disk usage. For this the application requires read access. Optionally, the application allows the user to delete selected files and folders to free up space, which requires write access. Managing deletion via the application has several advantages to the user. It's convenient for the user and enables the application to track and show how much space has been freed up while the user is cleaning up. However, granting write-access is obviously a potential security risk, so not all users may want this.