TCC permissions, iCloud, extensions
Mac
macOS puts most sensitive permissions behind a single screen: System Settings → Privacy & Security. Audit it every quarter — apps you forgot you installed may still have Full Disk Access.
Audit Full Disk Access grants
1-clickHighFull Disk Access lets an app read every file on your Mac, including Mail, Messages, Safari bookmarks, and private folders. This is the single most powerful permission on macOS and is often granted to developer tools and agents you forgot you installed.
Audit Screen Recording & System Audio Recording
1-clickHighAny app with Screen Recording can silently capture your entire display, including Zoom calls, passwords as you type, and sensitive documents. Zoom, screen-capture utilities, and some dev tools commonly hold this.
Audit Accessibility grants
1-clickMediumAccessibility lets an app read the content of other windows and send synthetic keystrokes/clicks. Legitimate uses: Raycast, keyboard remappers, automation tools. Illegitimate use: keyloggers.
Decide on iCloud Drive Desktop & Documents sync
1-clickMediumWhen enabled, macOS silently uploads your entire Desktop and Documents folders to Apple servers. Everything in those folders becomes subject to Apple's retention, court-order disclosure (unless Advanced Data Protection is on), and account-compromise risk.
Audit every browser extension
ManualMediumA malicious or abandoned browser extension can read every page you visit, inject code, and exfiltrate passwords. Extensions are updated silently by publishers — a once-safe extension can become spyware overnight.