I think I've finally and by accident achieved a solution. For those who come after... First, trigger the OS to intercept a C syscall on the main GUI process: const fd = c.open("/dev/disk4", c.O_RDWR, @as(c_uint, 0)); // this should return an access denied error, that's OK if (fd < 0) do_nothing() else _ = c.close(fd); At this point, the OS should trigger an interactive dialog, requesting scoped permissions to Removable Volumes. At this point, the Privileged Helper should inherit the permission from the main GUI process and be permitted to write to block device. Repeat C open() syscall procedure on the helper for good measure. Here, however, do not ignore Access Denied error.