Yeah. There's an implicit assumption that some restrictions and capabilities do need to be inherited or passed. /bin/cat can't read /etc/shadow unless it inherits the root UID or is passed a descriptor to the opened file. While the traditional Unix programming environment falls short of an ideal object capabilities model, it doesn't fall that short--the Capsicum API extension is quite simple. Other programming environments, like Android as you point out, have their own intrinsic security model. Discussions about the efficacy of interfaces like pledge, landlock, seccomp, etc, are set against these background models and the existing software ecosystems they support.
The argument for pledge and unveil isn't that it's conceptually superior to, e.g., a pure object capabilities system; it's that in practice it's the interface most likely to be used effectively by software in the Unix programming environment to augment the existing model.
The argument for pledge and unveil isn't that it's conceptually superior to, e.g., a pure object capabilities system; it's that in practice it's the interface most likely to be used effectively by software in the Unix programming environment to augment the existing model.