One way to isolate applications, common for server daemons, is to run them under their own user. The real "human" user can sudo into any application account, and does so on application execution. Marketing would have to rename things and slap a GUI over the feature, but I don't see why it wouldn't work for arbitrary Cocoa apps. (And the screen-capture API should be limited to capturing parts of the screen the application is currently drawing to, with overlaps clipped out, etc.)
That's clearly not viable, as displayed in the linked article. One of the examples of a good use for this was 1Password reading QR codes from a browser. Additionally, how would screen capture software work?
