Quote:
But it seems to me that hindering an instance (for example process) to give a key to any other instance (or at least to some instances) can increase security. Don't you think so?
In a capability system, this is already solved. The only way to pass a capability to another process is by possessing a capability that allows inserting handles into the other process. This typically means that the first process spawned the other, or they have established a communication channel that allows the transfer of capabilities. Being able to transfer a handle or not has no effect on security, nor does it impact the ability to record an audit trail in the case of mischief.
For example, let's suppose an attacker wants to write a malicious word processing application. It can spawn as many other processes as he wants and transfer file handles, thread handles, window handles etc. around among them, but in the end it still can't do anything with this beyond trashing the files that the user tries to save, or leaking information from one opened document into another. Can it leak information or grant any sort of access to the user's files to the attacker himself? No, because it has no way of establishing a communication channel with the attacker.