> macOS already has a sandbox. In practice many sandboxed apps can't actually write to /Library or ~/Library. They write to a sandboxed directory that pretends to be ~/Library further containing directories like ~/Library/Application Support. The real path of that directory is generally under ~/Library/Containers.
I know that: what I would like is more ways for the users to control this. I expect these companies to do everything they can to evade restrictions, and I’d like some ways to tighten the rules more than the defaults for some applications. I think from the OS perspective everything is there already, just not accessible through any UI.
> Now for obvious reasons Apple cannot force all macOS apps to be sandboxed. It was already a PR hit when they required Mac App Store apps to be sandboxed.
Indeed. But overall it’s an improvement for user security, just like SIP and the read-only system image.
I know that: what I would like is more ways for the users to control this. I expect these companies to do everything they can to evade restrictions, and I’d like some ways to tighten the rules more than the defaults for some applications. I think from the OS perspective everything is there already, just not accessible through any UI.
> Now for obvious reasons Apple cannot force all macOS apps to be sandboxed. It was already a PR hit when they required Mac App Store apps to be sandboxed.
Indeed. But overall it’s an improvement for user security, just like SIP and the read-only system image.