Today when you accept or deny an Experience it's an all-or-nothing thing. I think an Experience should only ask for the permissions it requires, and when requesting permission from the Resident it should be possible to specify required perms, and optional perms: denying a required perm should have the same effect as if you denied the entire Experience, while the scripts should be aware of which optional Experience permissions has been granted and which ones has not been and work accordingly. Similarly, a phone app intended for taking photos and allowing you to tag friends in the photos will require the camera permission, but accessing contacts can be made optional, while the app should not have access to for example take screenshots of other apps running on the phone, sending SMS or making calls.

A bunch of shops now use Experiences to let you teleport to various places in the store, and I guess for other features as well. While I might not mind being teleported, I might not want to hand the keys away for controlling my viewer in other ways.