After Log4j, Open-Source Software Now a National Security Issue

Is it Log4j that is really the issue, or is it Operating Systems not designed to support the principle of least privilege? Capability Based Security would go a long way towards containing unwanted side effects for any given executable.