Thank you, Quinn. What would be suggested way to achieve same level of validation with pre-14.4 macOS versions? SecCode* API validation before using posix_spawn() and co. is still vulnerable to rapid binary replacement attacks.

Did you try to apply for com.apple.developer.device-information.user-assigned-device-name entitlement? I presume it may grant you access to the hostname.