You could run applications in "debugging" mode and log every and any thing that happens with them. Each application has its ways of logging their own internal data and functionality, some may not be entirely honest.
Can you run the Linux kernel in "debugging" mode for all applications, so that anything they do or try to do and the timing is "monitored"?
In case of exposed applications such as browsers, you would not only "enable javascript" and/or enable it for specific sites, but be able to specify the functionality within javascript for that site.
java applets and web-start include such implementations using "manifest" kinds of files
https://docs.oracle.com/javase/8/doc.../manifest.html
"firewalls" just based on IP addresses are silly nowadays. Ideally:
a) the kernel should only do the "monitoring"
b) an application running as proxy through which everything going in and out of your computer regardless of the browser you use and protocol is transparently channeled, would only allow (or not) some kind of functionality based on some sort of DAG/xml-ish data for each site, domain and path
c) each session of an application, attempt at running any kind of code, should come with a declared "flight chart"
d) if what the application does doesn't match its "flight chart" or if it doesn't come with one and tries some internal functionality not allow to it ...
Do you know of such ideas even if partially implemented and/or discussed?