That seems better in theory than practice - Apple didn't detect the behavior (though it violates their dev TOS), I would think the users whose browsing data was exfiltrated will not feel especially secure.
I don’t expect Apple to catch behavior. What I would expect is that an app on the App Store never be given permission to a users whole home directory - only a sandboxed area for the app to store files. If a user wants to open files somewhere else, the app should open a file picker where the user explicitly allows access to that file.
I assume that's what happened here. The app says "I need permission for your home directory" and the user selects the home directory from a file picker, giving access to everything in it.
DaisyDisk's App Store version has similar sandboxing limitations and a similar workaround. It's an app designed to scan your whole hard drive and show you how your space is used, but by default it doesn't have permission to access the drive at all. So to run the first scan you have to indicate to the OS that you want the application to be able to read your hard drive, IIRC by dragging and dropping the volume onto DaisyDisk.
For an antimalware app, of course users are going to grant it permissions. There's no point in buying that if you're going to keep it in a sandbox where it can't look at your system.
I would expect something more like iOS. Where you can only choose a file not a folder.
True that will limit what types of apps can be distributed on the Mac App Store. But I am okay with that. On the Mac, they can distribute their app outside the store. I would love to be able to tell my mom. Don’t trust any app outside of the store and make it hard to download outside of the store.
That's pretty close to what they have today. Apple started enforcing sandbox restrictions in apps distributed via the Mac App Store, and opening an app downloaded directly from the web takes more effort than it used to.
To be fair, while I stand by my criticism of their lack of oversight, having an App Store model does make a fix much easier to roll out. If this was a piece of malware that was just installed manually, it'd take an OS security update to address, which presumably wouldn't happen in hours (or even days).