Feature Request: Dropping Privileges

[Stebalien]

The ability to "drop privileges" (i.e., send all new messages as some "nobody" account) could significantly reduce the risk of "confused deputy" bugs. Even if there isn't a built-in feature, there should be a documented pattern for doing this. This could be useful for, e.g., proxy/event contracts that need to call arbitrary methods on behalf of a user.

However, I'm having trouble thinking of any use-cases where one would want to send a message as "nobody" instead of as a specific unprivileged contract. For the latter, I'd expect the proxy contract to setup a some form of special "gateway" contract that sends arbitrary messages on behalf of the proxy contract and only sends those arbitrary messages (i.e., has no other privileges).