Then do `deno ./my_downloaded_deno_gui` instead. If you trust the copy of deno you downloaded, then hopefully it can be trusted to verify the permissions of random downloaded deno-apps.

Yes, it kind of defeats the standalone binary aspect but if you're really concerned about security, maybe it's a happy medium.