Ahhhhh this is one of those brain loops I go on every few years. Right after posting I re-remembered at least part of the potential answer when I go down this route: There is at least one (potential) improvement in the XPC case, because while the XPC service might be running with elevated privileges/entitlements it might not expose full access to those. I.e. imagine an XPC service that gets installed as a system daemon to idk… delete another user's account, say. So it exposes an interface with one method, which takes the unfortunate user's name as a string and does the deed via its own root-esque privileges. Now, if the main app is compromised the damage is at least somewhat contained. Barring a further vulnerability in the XPC daemon it can only delete user accounts. Not that that's great, but at least it can't also delete applications (barring path traversal bugs…) or reconfigure printers or install its own persistent privileged daemons…. exploit vulnerability in main process arbitrary execution there pick shenanigans only from a limited menu of XPC service offerings Is this the main/only benefit, or am I missing others?