We have certain Mojo interfaces that should only be used from the browser process. For example, through the NetworkContext, you can request both a CookieManager[1] and a RestrictedCookieManager[2]. The CookieManager should never be passed to a renderer process, while it is safe to pass a RestrictedCookieManager to a renderer.

It would be nice to have a way to enforce constraints like this in the code, to make sure we don't accidentally introduce security bugs by passing unsafe interfaces around.

1. https://cs.chromium.org/chromium/src/services/network/public/mojom/network_context.mojom?l=443&rcl=db07c8cc675a07d228219b0ae3f36c7c6afcef14
2. https://cs.chromium.org/chromium/src/services/network/public/mojom/network_context.mojom?l=449&rcl=db07c8cc675a07d228219b0ae3f36c7c6afcef14