`sandbox-exec` (macOS): command-line sandboxing
sandbox-exec is a built-in macOS command-line utility that runs a program inside a sandbox defined by a sandbox profile (a small Scheme/LISP-like policy file). The basic idea is to deny or allow specific operations (network, file reads/writes, process exec, etc.) so a command can only access what you explicitly permit.