Yup, SES is very interesting, and I think it can solve this problem in the future. As this post is about the here and now though, and SES is not yet ready for widespread adoption, I think my point stands that at this current time it is not possible to securely do capability based security in JS.