- Linux implements ACLs, so those rwx permissions can be declared in a much more granular way than just User/Group/Other. (See the setfacl(1) command.)
- rwx is more nuanced than you think, with "x" serving as both "executable" for files and "browsable" for directories.
- Basic permissions are actually four values, not three, with the fourth octet's "setuid, setgid, and sticky" having alternative meanings for directories. Namely, setuid and setgid on a directory specify that files and directories created in it should inherit their UID/GID ownership from it instead of the creating process, and the "sticky bit" is the "restricted deletion" bit, which specifies that only the creator of a file in such a directory (eg. /tmp) can delete it.
- There are also file attributes, settable with chattr(1) such as append-only, immutable (and irremovable), case-insensitive child name lookups (if supported by the filesystem), and a bunch of other attributes that are more about filesystem behaviour than security policy.
- Root permissions have been parted out into POSIX Capabilities so you can run a program with only a specific slice of root's power, such as the ability to open low-numbered ports (CAP_NET_BIND_SERVICE) or the ability to chroot (CAP_SYS_CHROOT). This has also been extended to the ability to mark executables to inherently run with certain capabilities as a more granular replacement for setuid. (eg. This is how ping no longer need to be setuid. It's been marked to run with CAP_NET_RAW instead.) POSIX capabilities also allow a process and its descendants to be marked as SECBIT_NOROOT... that is, you can say that, even if a process manages to elevate to UID 0, it doesn't get the superpowers like arbitrarily changing file ownership, reading files it doesn't have permission to read, etc.)
- Linux has cgroups-based sandboxing and tools built on it like Firejail and Bubblewrap. Last I checked, the closest Windows equivalent was something Microsoft explicitly said was not intended as a security boundary, being more like a proprietary analogue to Docker containers.
- There are probably others that have slipped my mind at the moment.
If that's not enough for you, there are Mandatory Access Control frameworks like SELinux.