This document mainly focuses on applying POLA when the user invokes an executable using the shell. It doesn't give much attention to the cases in which one program invokes an executable using execve(): in this case, we desire that the caller apply POLA and not pass too much authority on to the callee, and we desire that the callee not be confusable. If the caller doesn't apply POLA and the callee is confusable -- which will be true if they are unmodified Unix programs -- and if the two have Env sets that clash -- that is, the same filename maps to different files in each -- then we have some basic workability problems, not just security problems.
I hope to discuss these problems, and some solutions, in a forthcoming document.