Introduction

Instead employ Privilege Separation:
Reduce the amount of code that executes with privilege, so that majority of code runs without special privilege.


Motivated by the principle of least privilege:
Every program and every user should operate using the least amount of privilege necessary to complete the job.

Adhering to it may help to limit unintended damage from programming errors. 

Orthogonal to other protection mechanisms.
Still possible to sandbox application, etc.