Non-OS provided applications are installed as packages and given package-level permissions which are easily audited and revokable (without forcing uninstall).
Apache has permission to start at boot, run in the background, and listen to 0.0.0.0:80,443. Photoshop has permission to write to files in $HOME, and connect to network services while the application is running optionally with explicit permissions for each access. Adobe's update service can be disabled with a click.
