Sadly, Windows cannot do that. Every installed program has full disk access by default. It's very, very difficult to make it not so.
replyWindows has had that feature for 9 years. https://learn.microsoft.com/en-us/defender-endpoint/controll...
replyAppContainer (e.g. used in uwp or msix)
replyInteresting. Do I get this sandboxing out of the box when I install apps with Homebrew? Or do I need to do something specific?
replyWould love to enable this for all apps, and add exceptions for the ones that need more access.
I installed Lulu and BlockBlock recently, and want to do more to harden my Mac.
This hardening is enabled by default with Gatekeeper. That includes Homebrew apps, unless you disable it.
replyWhen an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).
In the scenario where you take care of it yourself the rogue plugin would not be an issue either.
replyI have no idea how to do that in Windows though.
I've never tried to do this or similar in Windows (obviously easy in unix-like environments) but I'm going to bet it's far more trouble than it's worth for 99% of users
replyOn macOS at least those 99% of users are probably installing from the App Store, where apps are sandboxed by default and need to explicitly ask for access to paths outside that sandbox. Even when not installed from the App Store a permission dialogue is popped if an application tries to read from sensitive paths like your photo library.
replyFor real security, operation should only be allowed after 24h of cooldown.
reply