macOS Seatbelt Sandbox Profiling Generate minimally-permissioned allowlist-based Seatbelt sandbox configurations for applications. When to Use - User asks to "sandbox", "isolate", or "restrict" an application on macOS - Sandboxing any macOS process that needs restricted file/network access - Creating defense-in-depth isolation if supply chain attacks are a concern When NOT to Use - Linux containers (use seccomp-bpf, AppArmor, or namespaces instead) - Windows applications - Applications that legitimately need broad system access - Quick one-off scripts where sandboxing overhead isn't justified…