You probably don't want all the platform-specific stuff in a capability based language, because the filesystems in mainstream OSs are not capability based, and you can't sugar-coat a non-capability system with capabilities. The capabilities need to be built in, and one of the main principles behind them is that you should not separate designation and authority. Access-control-lists (MAC, DAC, RBAC, etc) violate this principle - the authority is held separately from the designator, and this is why these systems are always vulnerable to confused deputies.
In a capability based system, you should present a set of directory capabilities to a process on launch, and the process should be able to access files/subdirs, or create new files/subdirs within it, and potentially pass capabilities to those files to other processes. The app should not, however, be able to escape the directories it has capabilities to. There should be no way to go "up". The only way a process should gain access to another directory is if another process explicitly passes it the capability. This should really be enforced at the OS level, but it is not (usually). If a capability based language can enforce it in its runtime/stl, then you can at least not have to worry about programs written in those languages escaping their directories (assuming no unsafe/FFI).
Yes. It seems like running a capability-based system on top of a non-capability-based filesystem is a form of sandboxing. It's not impossible - for example, it's how filesystem API's work in a browser. But it's tricky to prevent sandbox escapes.
In a capability based system, you should present a set of directory capabilities to a process on launch, and the process should be able to access files/subdirs, or create new files/subdirs within it, and potentially pass capabilities to those files to other processes. The app should not, however, be able to escape the directories it has capabilities to. There should be no way to go "up". The only way a process should gain access to another directory is if another process explicitly passes it the capability. This should really be enforced at the OS level, but it is not (usually). If a capability based language can enforce it in its runtime/stl, then you can at least not have to worry about programs written in those languages escaping their directories (assuming no unsafe/FFI).