> You also still have the delegation problem - A can't do X, but A can talk to B, which can do X. Most modern attacks involve that approach.

On the contrary, the whole selling point of capability-based systems is that they're the solution to preventing these sorts of confused-deputy attacks.