Right now this can be done by agents designed for it if they deliberately run without root privileges and fail noisily enough when they can't do something as a result. But I'd like to be able to cause this behavior in something that isn't designed for it. The middle case is addressed by things like bash's 'noclobber'. Hmm, maybe make it owned by root, but with permissions d---rwx--- and owned by a special group? And conversely, folders owned by user 'nobody', group 'interactive-user', and permissions drwx---rwx?
I think Gödel's Incompleteness applies here somewhere. I'll have to do some experimenting.
Note that my scheme would mandate two sorts of /tmp folder: one that the system uses, and one that a user can manipulate.
It would be interesting to have a way of encoding *why* some filesystem permission is not granted.