could these be done on-device, esp since they built in all that Secure Enclave crytographic stuff, vs in the cloud? At least partially?
I mean having it phone home to the authentication server every time seems laborious vs. say, downloading a set of definitions every night that gets checked against some hash in the Secure Enclave or something.
You don't really need the secure enclave for this since it's the kernel doing the enforcement. I'm sure Apple considered syncing, since it's hard to implement something and not even glance at the other solutions on the market. My guess is
* They expect the database to be too large to practically fit on every device. If this is really going to be literally every program or script ever run on macOS then that's gonna be huge.
* They don't want to deal with "virus definitions out of date" issues or "please update your AV" in response to an incident.
* They want to be able to revoke a malicious program immediately and not worry about cache expirations which is why the cache is only used when it's really really offline.
I mean having it phone home to the authentication server every time seems laborious vs. say, downloading a set of definitions every night that gets checked against some hash in the Secure Enclave or something.