Comment 2 for bug 1559604

It's up to you, but I think a switch in every window is actually enforcable. You would just need to trap the relatively few OS calls which result in camera communication. This would be a lightweight form of virtualization, much much simpler than paravirtualization of the kernel.

If you go the global route, there's no way to partition which app gets access. So a "phone home" piece of malware just needs to sit around waiting for the global enable to get set. (This applies to all hazardous devices, not just the camera.)