hoakley April 15, 2026 Macs, Technology, Updates

Privacy: Which folders are protected in Tahoe?

Obtaining a definitive list of locations that are subject to privacy protection in macOS Tahoe 26.4 hasn’t been easy, and I’ve previously relied on information given piecemeal in WWDC sessions. This article reports the results of formal testing using a new version of my test app Insent, and brings some surprises.

Insent version 1.2 now allows you to set the path to the folder to be used for its Save and Open by consent buttons, using a Combo box. That’s a combination of a popup menu including the three most popular locations, Desktop, Documents and Downloads, and an editable text box into which you can enter a custom folder path.

Save and Open by consent are actions in which the user doesn’t express their intent to write to or read from the protected location, for example in an Open and Save Panel, but the app’s code determines the path and file. Thus, to ensure the app’s access doesn’t compromise the user’s privacy, those actions may be blocked unless the user gives their consent in a dialog presented for TCC, the privacy manager.

In the Save by consent code, all Insent does is construct a URL to a new text file in that folder path, then tries writing a String to that URL using String.write() non-atomically. To open a text file from that folder path, it attempts to enumerate the contents of the directory at that URL using FileManager.default.contentsOfDirectory(), then iterates through the contents until it finds a text file to open. If it does, it tries to read that file using String(contentsOf: url), and displays the start of that String.

Only three locations conform to the standard control:

~/Desktop
~/Documents
~/Downloads

In each case, there is no control over writing to the location, but any attempt to list the contents of that folder elicits a request for consent, and results in an entry for Insent in the Files & Folders list in Privacy & Security settings.

For iCloud Drive, and presumably third-party cloud services with equivalent privacy protection, there is no control over writing to the location, and listing folder contents requires consent, but no entry appears in the Files & Folders list, and I have been unable to discover any equivalent control elsewhere. Thus, once consent has been given, it appears to remain indefinitely, as the user doesn’t have a control to disable that access.

Removable Volumes and Network Volumes differ again, in that both Save and Open by consent require user consent, although giving consent to one action also grants it for the other. However, not all removable volumes are treated as protected. A Time Machine backup drive that is mounted automatically during startup, and has an additional volume not used for backups, wasn’t given any protection, while an SSD connected and mounted well after login was treated as a Removable Volume.

Although often listed as being subject to privacy protection, read access by consent was blocked for Time Machine backups, and they’re read only anyway.

One strange behaviour discovered during testing was the automatic addition of Insent to the Full Disk Access list, rather than individual Files & Folders. However, Full Disk Access hadn’t been granted, and when Insent was removed from that list, individual Files & Folders were shown instead.

There was no evidence of any other special locations among other standard folders in the user’s Home folder, although there are separate controls covering Photos access, and that to app databases, as listed in Privacy & Security settings.

The following table summarises privacy protection for special locations in macOS 26.4.

Insent version 1.2 is now available from here: insent12
Have fun trying to make sense of this protection.

8Comments

Add yours

1

Alex on April 15, 2026 at 10:27 am
Reply

Hello Howard.

In the first place, it is an honor to comment for the first time on your blog, although I’ve been brought here many times in the past after following different macOS topics. But this time I couldn’t resist commenting, as we’ve met in time while digging about macOS security and privacy. Yes, I’ve been wondering about the security of macOS since early this year, comparing it to the much more strict sandboxing that iOS and iPadOS employ.

My main worries stem from several apps that I want to install and execute on my Mac, such as ChatGPT, Claude, or Obsidian. And even if I don’t have too much personal stuff on this Mac, it is still connected to my Apple Account, which automatically downloads my reminders, calendars, notes… and the notes are saved in plain text, except the notes that you lock under a password. That’s unless you’ve enabled the advance data protection, which isn’t my case -yet-.

As you may imagine, installing Mac apps such as ChatGPT that may have access to all my personal notes (or pictures, or videos, or whatever) makes me uncomfortable. But at the same time, this desktop versions of the tools mentioned offer more versatility and capabilities as the iPad counterparts…

Now, I am going to download your app, and test how easy is for an external, non sandboxed apps, to gain access to my notes, or any other folder. I guess the key here is not granting access to the app the first time, because otherwise I won’t be able to easily revoque the permissions, right? The best solution here would be to have a shared folder to deposit the documents I want my apps, -such as ChatGPT Claude or Obsidian- have access to, while leaving the rest of the disk without any access…

Thanks for your research.

Alex

LikeLiked by 2 people
- 2
  
  hoakley on April 15, 2026 at 11:49 am
  Reply
  
  Thank you.
  I’m afraid that Insent won’t tell you anything about other apps access to protected folders, as those are controlled on a per-app basis. It also won’t tell you anything about access to databases like those used by Notes, Calendar and Contacts, as they’re managed in a different way.
  Howard.
  
  LikeLiked by 1 person
3

Alex on April 15, 2026 at 11:19 am
Reply

Here are some findings on my Mac running macOS 26.4:

The Documents folder has full access to read and write to Insent, and I guess other apps, no matter what button from the 6 I use. No warning dialog, no entry on Settings -> Privacy -> Disk access. On the other side, the Downloads and Desktop folders are protected like you said, only from reading, and the prompt appears only with the Open by consent button, which is the one that -correct me if I’m wrong- grants full access to that folder to the app. Otherwise, with the Open by Intent button, theoretically the app ONLY has access to the selected file on the file selection window, and not to the whole folder, am I right?

Interestingly, the issues you commented on your previous entry regarding the app having access once it has been granted once, and removing it from the Settings -> Privacy -> folder access list, actually works on my Mac. It becomes unavailable, after closing the app of course. The prompt doesn’t appear again, but in order to Insent to have access via the Open by Consent button, I have to turn on the toggle again on that list. So not sure if this depends on the test device…

If I make any more findings I’ll let you know. Feel free to put this as a reply to my previous comment, if you can, so the conversation is better organized.

LikeLiked by 2 people
- 4
  
  hoakley on April 15, 2026 at 11:54 am
  Reply
  
  Thank you.
  Without knowing exactly which buttons you have used, it’s impossible to comment on the access you are describing. I suggest you follow the sequence I have described in this article, very carefully. Before you can do so, you’ll need to remove all entries for Insent in Privacy & Security settings, use tccutil to reset them as detailed, then restart your Mac.
  Howard.
  
  LikeLiked by 1 person
5

markbot2zero on April 15, 2026 at 4:04 pm
Reply

Dear Howard,

As always, thank you for this series.

Insent’s icon is entirely appropriate and, in spite of your patient and excellent explanations, it closely tracks my own facial-emotional-intellectual response to the subject.

-Mark

LikeLiked by 1 person
- 6
  
  hoakley on April 15, 2026 at 7:14 pm
  Reply
  
  Thank you, Mark. I chose carefully!
  Howard.
  
  LikeLike
7

Arnaud on April 16, 2026 at 7:46 am
Reply

About the sentence “Thus, once consent has been given, it appears to remain indefinitely, as the user doesn’t have a control to disable that access.”, in the cloud section, wouldn’t “sudo tccutil reset All bundleID” work?

And, again, thank you for these delightful articles.

LikeLiked by 1 person
- 8
  
  hoakley on April 16, 2026 at 5:22 pm
  Reply
  
  Thank you. The command in this case would be
  tccutil reset All co.eclecticlight.Insent
  however, that’s not a control, but an arcane piece of command wizardry that we should discourage ordinary users from pasting into Terminal. Surely, Privacy & Security should include a control to do that, and specifically for each protected location?
  Howard.
  
  LikeLike

Share this:

Related