Sandbox admin privileges

Solution 1:

The App can have read/write access to a location if it gets your permission using an entitlement as part of the App Sandbox, in other words this is how its suppose to work. The App is code-signed and trusted, its asking your permission, in theory all should be good.

As noted in the Mac Technology overview:

App Sandbox

Introduced in OS X v10.7, App Sandbox provides a last line of defense against stolen, corrupted, or deleted user data if malicious code exploits your app. App Sandbox also minimizes the damage from coding errors. Its strategy is twofold:

App Sandbox enables you to describe how your app interacts with the system. The system then grants your app only the access it needs to get its job done, and no more.

App Sandbox allows the user to transparently grant your app additional access by using Open and Save dialogs, drag and drop, and other familiar user interactions.

Specifically a developer can implement the following entitlement as noted here in Enabling App Sandbox, this is exactly what you described in your question, so this is probably the entitlement that the A/V program developer had utilized to obtain just read and write access.

com.apple.security.files.user-selected.read-write

Read/write access to files the user has selected using an Open or Save dialog

Note that this is not the same as true administrator user, since the program would not be granted the execute privilege.

Solution 2:

You're not seeing it correctly. Sandboxing doesn't bypass file permissions. If you don't have write access to a file then having the file-write entitlement won't give you write access to the file. Likewise the NSOpen/NSSave dialogs can't access anything they can't access with sandboxing off.