As I said BlueHarvest is your friend.Somehow other OSes can live without polluting every pendrive and network file system.
While OS X creates gazzilions of junk files just to remember icon position and tags in folders.
And the worst part is that this is mandatory. Even on remote FS mounted over slow internet.
So, you would like to get rid of the concept of the Trash folder and have things deleted completely when you select 'Delete'?Trash folder is also misconception. If you delete something on your pendrive and unmount it then it is still there, only in different location.
That causes issues with media players or DLNA servers for example, that scans whole disks and find deleted data in Trash.
As in the whole file system for a backup application for example. And you probably don't want to know how Dropbox operated until about two years ago to get the icons that indicate the status of a file or folder (injecting code into running executables).Every app can work in jailed sandbox, you must just prepare sandbox the way application is expecting.
Not every application, Mac App Store applications don't, they are all sandboxed. And you know how many people would cry murder if suddenly it would be impossible for any app to reach all parts of the OS. There are tons of Unix tools that would break.The issue today is, that every application can see EVERY FILE ON YOUR WHOLE FILESYSTEM.
You can always restrict your Mac to Mac App Store apps only. It's right there in System Preferences > Security & Privacy > General. Beyond that, to access stuff outside your home folder, any application installer needs your permission by asking for an admin password.Doesn't matter if it's Server.app or puzzle game.
Every application has access to your configuration files and full access to network so possibilities of malware code injections are endless.
You are right, sandboxing is helpful in increasing security (and this is why Mac App Store apps are sandboxed) but you have provided no solution how the sandbox could be tailored for each app. One could make it mandatory for every app to register its tailor-made sandbox with the OS but who is controlling that the registered sandbox is appropriate and not too generous? There is no magic bullet (unless you go as far as iOS but good luck with defending such a position publicly).