If people wonder about things, they should install Little Snitch and see how often apple apps phone home. It's amazing. Not only after install, but hours and days later will apps start quietly phoning home.
One thing I learned from using Little Snitch is that a lot of Apple apps are seemingly immune from these types of firewalls, due to Apple shenanigans around k-ext signing etc [0].
Ref also [1]:
> In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.)
> Q: Could this be (ab)used by malware to also bypass such firewalls?
> A: Apparently yes, and trivially so
But another way around is the way VMWare Fusion let you set up networking in Bridged mode. Any traffic from the VM went through without a peep from Little Snitch running on the host. No reason malware couldn't be designed in the same way.
VMware Fusion isn't sandboxed and installs daemons running as root (which requires Gatekeeper approval or bypass to run, followed by an admin password to install the daemons).
AFAIK, XProtect is the only remaining line of defense against malware installed in this way.
So, Little Snitch helps unless your adversary is either really good at what they do or really rich. Maybe nothing can be done in those cases, but I'd like to see the limitations of such software placed on the box.
