If you thought that App Translocation only happens to apps left in their original folders and not moved, and doesn’t happen after first run, this could come as a surprise.
Gatekeeper
Major macOS releases from Sierra to Ventura, with full details of each release and security update. Also updates to XProtect, MRT and Gatekeeper.
How an obscure ACL can prevent a quarantine flag from being attached to an internet download: demonstration and explanation.
Is provenance tracking intended to make app launch times shorter despite new Gatekeeper checks, or is it trying to make it harder to cheat?
How the new tracking extended attribute is attached to apps, how it’s recorded in a security database, and how it’s checked. But for what purpose?
New version of ViableS runs in a sandbox, with no shared folders, and can now be isolated from networks. So how well does Ventura work without internet?
If Ventura checks the security of apps more thoroughly, how does it go about that? Gatekeeper explored, from XProtect to OCSP checks.
Are additional Gatekeeper checks in Ventura effective, and worth the effort? Surely malware can bypass them easily.
macOS has changed fundamentally. So has troubleshooting it. Secure Boot, the SSV, and Gatekeeper checks bring changes in strategy.
Run Catalina or later and there are two XProtects in the CoreServices folder. But they’re completely different, as this explains.