Thank you, we have filed a report with more details under the id FB11683618.

TL;DR If you want to use the above entitlement in the app store, you will at least have to appeal the rejection (and it might still be turned down). A quick summary for the sake of future developers reading this: We eventually opened a DTS case to discuss options as advised by app review. The discussion concluded that there are no good options without the above entitlement, the only fix that could be accepted into the app store under this policy being to embed needed trust roots in the code instead of accessing them through the OS. We verified that narrowing the entitlement to just the lock file <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/private/var/db/mds/mds.lock</string> </array> is sufficient and this was confirmed by DTS, but this entitlement was likewise rejected by app review as requesting "read-write access to read-only system location". As app review did not respond to requests to further clarify their policy, we verified that on BigSur a sandboxed app running as root (in this case a network extension) can write to the /private/var/db/mds/mds.lock file (and indeed even other files like /private/var/db/mds/mds-test.lock) and pointed this out to challenge the classification as "read-only system location". After further review, this didn't change the rejection outcome. We appealed the decision and let the case run for ten days without response other than an initial notification that it was being looked at. Eventually, we were pressed by external deadlines - as you can see this has been dragging out for about a month now - and submitted the alternative workaround that embeds trust roots in the code, which I believes withdraws the appeal. Without the entitlement, our app has been accepted. Clearly, this is an inferior solution in terms of both maintenance and security, but for now it is our only option.

In our app, the workaround temporary exception suggested by Quinn Pending a fix, you can work around the bug by adding a temporary exception entitlement to your sysex: <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/private/var/db/mds/</string> </array> has been rejected by Mac App Store app review with the comment Value "/private/var/db/mds/" requests read-write access to read-only system location. Our deployment target is 10.15 so a workaround is necessary despite the issue being fixed on BigSur. I referenced both Quinn's post as well as the bug number in the submission. As advised, I tried to replace the above .read-write entitlement with a .read-only entitlement, but this does not seem sufficient to prevent the underlying bug. Could I get confirmation or clarification whether .read-write is indeed necessary? (I was going to open a DTS incident but then reconsidered since the form directs you to check the developer forums first and, well, I knew of this forum thread right here :) )

I now noticed that this issue also occurs independent of using xcconfig-defined variables. Skipping step two in the "Steps to reproduce" and using hardcoded (but different) bundle identifiers for the two configurations in step five will show the same behavior. On the other hand, if you use only a single configuration setting the bundle identifier to $(BUNDLE_ID) then the first build after changing the value of BUNDLE_ID in the xcconfig file will always fail as above, trying to copy the old bundle id - so this isn't only a matter of using different configurations either.