[olliej]

Data vaults on macOS are intended to prevent apps running under they same unprivileged user from accessing files that belong to another app.

Eg, if there is a file/directory that only safari is meant to have access to, no other app should be able to read it, without at least bringing up one of the annoying “allow X to access your Y”. For example, the first time you, say, feel your home directory you’ll get a bunch of TCC requests asking if the host app (Terminal.app say) should be allowed to access those files.

[xnyhps]

To add to this: there are two different types of Data Vaults. For locations such as ~/Pictures, ~/Documents, Calendars, Contacts, etc. a permission prompt is triggered if an app tries to access it. Other locations, such as where Mail and Safari keep their data, can not be allowed from a prompt. Those require "Full Disk Access" for third-party software to gain access, which you should give only to applications that really need it, such as a backup tool.

Anything not on those locations is not protected, so there's no Data Vault for Chrome's cookie file, for example.

[olliej]

Is there an API that allows apps to construct data vaults? I assumed that there would be, but I also generally don't write code at that level in the stack

[Thorrez]

Interesting, macOS has a much stricter permission system than I'm used to on Windows and Linux. On Windows and Linux malware could just start controlling the mouse and keyboard and thus control the browser to get data from it, but on macOS apparently to control the mouse and keyboard some special permission is needed.

[sukilot]

MacOS is evolving toward the sane Browser/iOS/Android security model for networked computers running apps from diverse third parties.