This limitation of the macOS sandbox has always driven me nuts. Even with a default deny macOS sandbox profile (much stronger than anything that entitlements or TCC can apply, but pretty close to the restrictions some Chrome/Safari processes will run with) you still get an ENOENT instead of EACCESS when trying to access a path that doesn’t exist. I understand not applying that behavior in default sandbox profiles but for apps that are built to run some processes in extremely aggressive sandboxes like browsers it would be a real benefit.
BTW, this is also how iOS apps could detect jailbreak status of the device: just try to open paths like `/var/lib/apt`, if it does not exist, it should return ENOENT; otherwise you would know this device is “not clean”.
Didn’t think the sandboxing on macOS also has this issue.
