sandbox-exec is still around. I've created profiles to provide a security layer when building open source software (eg configure; make) They are available at https://github.com/BrianSwift/macOSSandboxBuild

When developing profiles for sandbox-exec, monitoring sandbox log messages is very helpful to understanding exactly what is being denied. I watch the activity with this command ( that I found in /System/Library/Sandbox/Profiles/com.apple.RemoteManagementAgent.sb ) : log stream --style compact --info --debug  --predicate '(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))' I've created profiles to add a layer of security when building open source apps, without the inconvenience and overhead of running in a VM. They are available at https://github.com/BrianSwift/macOSSandboxBuild

delete this comment

Have you tried creating the file in the directory returned by confstr(_CS_DARWIN_USER_TEMP_DIR...? See man 3 confstr for details. This directory can be shown from command line with getconf DARWIN_USER_TEMP_DIR