Applocker

I think having a master password like what is seen with 1Password might be good (though wouldn’t Touch ID and/or your system password when opening the Passwords window already count?).

I don’t see a use case for AppLocker as, per my initial research, that appears to be more of Windows enterprise feature for locking down applications, which I think would be well out of scope for Orion.

i suppose this woudl be similar to requiring authentication for private tabs on ios, but for desktop and for accessing all tabs

I think a big part of this is understanding what you are protecting, and who you are protecting that from.

If you are logged in to your device, most info is lying on your SSD to any app running as your user.

Most web browsers (not looked at Sonoma Safari private tabs yet) store a JSON or PLIST file that sets out all the current tabs, their URL etc. That's how they resume previous sessions and reload your tabs. The history database is also generally available as a file, listing all visited URLs. Anything/anyone that can access your logged in session can see that. The notional security boundary on a Mac device is the system lock screen (and the trusted boot chain, secure enclave and FileVault help to enforce the system lock screen).

If you are trying to protect information from the currently logged-in user, that will be fairly difficult, as presumably someone logged in knows your user password or has an enrolled Touch ID credential (which means they can unlock and access keychain credentials). Or you have walked off and left the device logged in (which is a different issue).

Unless it's clear what the goal is though, it's likely someone could get around this in a second or two. That's not to say there's not good reasons to look at protecting browser data (e.g. https://orionfeedback.org/d/4809-encrypt-sensitive-local-data-in-the-orion-applicationsupport-folder-with-a-keychain-based-credential), but for something like a master password or "app locker", I presume this means some credential to open Orion, that would realistically mean encrypting browser state and unlocking it with the user keychain via Touch ID. At least that's the most "sane" way.

Many "app lockers" are theatre to impress the user with a prompt, but can be trivially bypassed (if they are implemented by the app itself). Hence the importance of understanding the exact goal here. Who/what is this feature to protect against? (For private tabs, where no record is stored on SSD, there might be a viable way to do this, which is what I guess Safari is doing - not storing tab state to SSD, and using a system authenticator to unlock the existing window. Not insurpassable, but fairly secure as long as an attacker can't do TouchID auth as the user.)