Android's binder seems to be exactly what you are talking about. A binder object represents a token for something you can send and receive transactions. You use binder to talk to LocationManagerService which lets you get the location. Android has a service manager and lets any app get the LocationManagerService. LocationManagerService itself does do the permission checks.
The operating system uses both capabilities and permissions.
Regardless, this is all implementation details and for the user it is equivalent. There is the same principle of least privilege where apps are limited in what they can do.
> The operating system uses both capabilities and permissions.
No, that's still wrong.
The Android framework uses something that goes a little bit in the direction of capabilities.
But the Android framework / runtime runs (by now) on an OS (Linux) that is not capability safe.
> Regardless, this is all implementation details and for the user it is equivalent.
No, of course not.
On a capability secure OS your mouse driver can't read the disk or do network request. Even if you would find an exploit in the driver.
That's a completely different level of security!
It's a fact that there is still no capability secure OS out there in broad use. (Fuchsia could be the first that brings this concept into mainstream. But this will take time. Also Fuchsia isn't as strict as it could be, for different reasons).
The operating system uses both capabilities and permissions.
Regardless, this is all implementation details and for the user it is equivalent. There is the same principle of least privilege where apps are limited in what they can do.