theres def still lots of silly macOS / iOS env var vulns. QuartzCore lets you create arbitrary files with X_LOG_FILE. might be able to make a TCC bypass or something with it, i haven't checked. fun fact: it also used to put this var directly into a call to system()