Err, I'm still having issues grasping the problem—why not just enforce portable installation and locally writable files? There's no reason user-facing apps need to be installed to anything other than a subdirectory of home, there's no reason to locate the app resources anywhere but as a subdirectory of the app installation, and the XDG filesystem standards for writing seem pretty solid at this point. You could then restrict all access by default and just prompt when it attempts to use a resource.