There's no sandbox-friendly APIs for this unfortunately, so the App Store can't accept any apps in this category.

Heya Quinn, happy new year. Would you mind taking another look at this? I'm still curious about it

Indeed, the security session (and audit session, for that matter) appear to be consistent across all apps (sandboxed or not), and even my XPC service, when I set JoinExistingSession to true. So there's some other secret sauce that's allowing EBAS to use SMJobBless despite its main app being sandboxed, and my app must be lacking it. I don't have any ideas for how to narrow down and isolate the difference. Do you have any suggestions?

Yep, I can confirm EBAS still works (macOS 12.0.1 (21A559)). Looking into SessionGetInfo now.

Hi Quinn. This made some progress! I posted my response an answer, inititally by accident, but now keeping it because it formats much more nicely than a comment :)

"""Are you building an XPC Service? Or vending an XPC service from a launchd daemon or agent?""" Both, in the same pattern as the "BetterAuthorizationSample" (using an XPC service to bless a privileged helper, on behalf of a sandboxed application). """do you have transactions enabled (EnableTransactions)?""" I do not. (yet? I'm not sure when they're necessary, I haven't gotten that far yet haha) (p.s. I accidentally posted my response to you as an answer instead of a comment. Is there a way for me to delete that? I don't see it)