@gormster it's a defense in depth mechanism. If an attacker finds an exploit and tries to open a shell in an app that pledged to not open a shell, the kernel will refuse to open the shell. Browser can also pledge to not open files except in ~/.cache and same protection.