I think that mobile app stores got it half right: the store simply asks for requisite permissions when installing an app. I've declined to try numerous "free" apps that apparently needed access to all of my private data for no good reason at all. It shouldn't be any different when installing Mac App Store apps. The only additional feature that I'd like to see is for the apps to define what subset(s) of permissions they can live with, so that the users would have an option of running apps with less permissions, with some loss in functionality.
For devices like smartphones and tablets that can't be administered in the way a full PC can be, I want *all* apps sandboxed - especially the vendor's apps.
As for minimum "subset(s) of permissions they can live with", why ask? If the app is asking for access to sensitive data without a compelling reason, why it would it also admit it doesn't need that access. If the app says "If you let me access X, then I can do Y for you", then I can consider. But even then, why bother?
The access permissions can be part of the sandbox mechanism. If I allow app W to access X, then the sandbox can allow that. Otherwise, it can just provide "Harmless X" for the app to play with.
I suppose apps could detect "Harmless X" and refuse to work. But, for example, suppose X is my Contacts List. If I never add any contacts nor delete any of the sample contacts, then my real Contacts is indistinguishable from "Harmless Contacts". Would be very rude for the app to refuse to work in that case, so any app that would refuse is probably some kind of malware.
Yes, I know that would mean no apps like TextExpander.
On my PC, I run Debian with SELinux and virtual screens, each with its own Xserver. Yes that means I can't copy/paste between applications on different virtual screens. It also means I had to create a lot of "Harmless X" resources that certain applications want to access.
Far from perfect. And a a major pain. and I know separate PCs would be a lot safer. I already have a separate PC for audio recording and editing. That PC doesn't have any network access.
So, as far as I am concerned, neither Apple nor Google have gone far enough.