Right. But there's almost no software that supports the equivalent of limited capability tokens, much less casually handing them around. In contrast, in real life, it's a common use case, and we don't usually even bother with capability limits, because it's too much hassle - we rely on trust (part of which is persistent relationship that continues beyond current interaction) + spatial proximity and temporal limits.

I.e. even if your mom handed you her credit card, she was still there in a car nearby (spatial proximity), and was waiting for you there (temporal limit), and she was your mom (persistent trust-based relationship), which is sufficient protection from the risk of you running away and spending her money on hookers.

(How you managed to buy cigarettes as a 15yo is beyond me - or maybe there were no age checks in 1970s yet?)

Coming back: in real life, we don't bother with restricting the access tool, everyone is transiently giving much more access than they need to random things, and expect them to not abuse it. Meanwhile, cybersecurity is mostly stuck in the mindset of passwords being your identity, and being like underwear (change frequently, don't share), and the concept of delegation of authority doesn't exist beyond some enterprise systems. Which is why, in real world, everyone says "fuck it" and just shares passwords as needed.