Application-dependent! Depends on how and where-from the object arrived to the system.
For example, use sender identity for email attachments. If sender is unknown then the assigned sub-user should have fewer permissions
For browsers, each site has its own sub-user id. Wrote their own secure web browser