It's been quite a few years since I did anything in this space, but back in the day you could get quite a lot of information simply by wrapping things in sandbox-exec [0] and progressively adding allow rules as the application inevitably blew up. It's a fair bit of manual effort, and I wouldn't be surprised if someone has written a wrapper around it that automatically figures it out, but last I checked this was the most reliable way to explicitly see what a rogue application does.
[0] https://www.karltarvas.com/macos-app-sandboxing-via-sandbox-...