Unveil is for use by developers during program development.

This isn't a wrapper to be "applied afterwards"

Like pledge(2) unveil follows the "program manipulates it's own future runtime" model.

"I promise to only need these things in the future"

Pledge has a small set of semantics to control. Unveil is segmenting a filesystem..

filesystems actually have a lot of semantics, and a lot of nuances around
- libc used files
- per-program known files
- files provided by argv[] or configuraiton
- filenames just known by a program
- file names inside $HOME
- the ability to create abstract trees using symbolic links.  (more on this later)