Given that it seems nowadays impossible to run applications as a different user (as in, logged in as user1, run IntelliJ as user2) on a Mac, how do you protect yourself against random dependencies or curlbash installers doing things you wouldn’t want them to?<p>Something like Little Snitch can protect against something POSTing your key vault or other sensitive data somewhere. SSH/GPG keys can be put on a token, but what else can you do besides running everything on docker or in a VM and having to pay the performance overhead?<p>It would be nice if it was possible to run a space as a different “sub user” with no permission on the master user’s files (maybe done via screen sharing to localhost?) and/or being able to assign folder/file access permission on a whitelist/blacklist basis per process for example.<p>I personally have ended up separating all my documents and important browsing (banking etc) to a separate computer I ONLY use for that (with separate browser profiles too, I wish you could run firejail on Mac btw), but it would be nice if there was a way to improve the situation for cases where that is not possible.
I'd use Pareto security for starters if I had a Mac <a href="https://paretosecurity.com/" rel="nofollow">https://paretosecurity.com/</a>