Here is a little update on what I have been working for the last release of Windows. As you may know, Windows uses the capability model. To mark app container apps with privileges to certain capabilities like using location, or a camera. The basic idea of custom capabilities is to allow 3rd party developers to define their own custom capabilities so that their apps or their partner's apps can similarly be marked. Ultimately a capability becomes a SID that is stamped on the app's token. Internal brokered components check those SIDs before letting apps do privileged things out of the app container sand box. Now 3rd parties can also have services or drivers that can also check for those SIDs before allowing apps to use their privileged resources.
Watch the video below to get a more info: