Why are apps and web apps today non-composable?

The reason is because of the same-origin model.

In traditional operating systems, different apps can coordinate via the filesystem.

That's powerful, but also dangerous (without protections).

Files are the natural schelling point for different actors to coordinate, including in unexpected ways.

The web introduced a simple rule: isolation between origin.

Origins could not interact except with two-way opt-in.

Simple law of physics, easy to implement and maintain.

But that made it so each domain was its own separate universe.

Apps extended this model to powerful local software and made them all isolated islands.

More secure, but at the cost of strongly accelerating the pull to aggregation.

The most powerful apps can convince other apps to send data to them, but don't allow data to flow from them.

This power is self-accelerating.

The same-origin model is too simplistic of a model, and precludes the majority of the combinatorial power of software that comes from composition.

We should make the model same-user, and allow a more enlightened and powerful security and policy apparatus to prevent unintended information leakage.