sunfish, A subtlety about capability-based security in Wasm components is that there is no "ambient authority".
There are functions with no arguments that return handles, which at first glance looks like classic ambient authority.
But, all functions are interposable at link time. So users can wasi-virt or wac or other mechanisms to link a component to whatever they want, and attenuate or redirect the function however they want.
So instead, we say those functions use "link-time authority".
Add comment