How do I see where can a sandboxed Mac application write on my disk?

macos mac safari sandbox

I know the app entitlements define its scope of access to resources. I already figured out how to get an app's entitlements, using the answer to this question

For example, to see Safari's entitlements, I use the following command in Terminal:

codesign -d --entitlements :- /Applications/Safari.app/

However, I cannot find there any list of directories the app can use to write files, and no list of directories where it can't. I'm especially interested to know where does Safari store temporary mid-download files.

Please advise.


Any sandboxed app always has full access to anywhere in its own sandbox. Safari's sandbox is

~/Library/Containers/com.apple.Safari

Related

Reduce file size of exported PDF from Notability app
Macbook Pro overheating issue?
Uninstalled apps still appear in settings
Are there any clean-up tools for Address Book data?
Command line argument to "find" and "grep" data inside "xattr -l" atrributes?
Finder always opens as a small window on the top left corner of the screen
How to access / export Safari browsing as file
Types of memory: Why do private and shared not add up to real memory?
What is the name of this application?
Can punching my iPhone damage it?
How can I bundle different installers from third party vendors to ease end-user installation process
Disable automatic alt text in Word for Mac