Protecting ~/Library access from downloaded apps

As I stated, Firefox from a File URI in the address bar will allow you to snoop all over your Library folder because you alone have permission to do that. There would be no permissions dialog because you already have it based on the Library folder permissions.

You would be foolish to download any software from any untrusted, non-original developer site. Even if you installed it and its group was admin or wheel, there is no telling what it might be doing while it is running, but I suspect it cannot get into your Library maliciously. Although Apple's macOS built-in security exists, there is a limit to how far it can protect you if you choose to introduce potentially dangerous software.

As long as you install software from the Mac App Store, or from original, trusted developers, your concerns about accessing your Library folder are unnecessary.

sfappsupp Said:

"[...]I notice that apps seem to have unrestricted access in other directories such as ~/Library. I tested this by opening Firefox and I'm able to freely browse around there, and open up files to view their contents.Doesn't this mean that a rogue app can go into my Chrome or Firefox directory and read all of my saved personal info? What is the correct way of protecting myself when running things like games from the internet?"

-------

Enable Firewall on your Mac:

Once Firewall is enabled, all should presumably be fine from there. Go Here: Change Firewall Preferences on Mac - Apple Support

The permissions on your Library folder grant only you read/write/search/execute privileges, and those privileges are disabled for other users and groups on your Mac. Since installed applications are members of wheel or admin groups, that excludes them too — except for specific locations that Apple allows them to store/update their data in the Library folder. An installed application package cannot snoop around in your Library folder due to those otherwise exclusionary Library folder permissions. Firefox allows you to use a File URI because of the Library permissions that you alone have.

Remote websites may use JavaScript, but it is sandboxed and cannot explore your filesystem.

I do not worry about what accesses my Library folder and I am not casual about security.

Installed applications, in addition to those from Apple, write into ~/Library/Application Support, ~/Library/Caches, ~/Library/Preferences, ~/Library/Containers, and other potential app-specific ~/Library locations. That is normal behavior and one that Apple encourages in sandboxed application design.

The fact that you opened a file chooser in Firefox and could navigate into your local library is also normal, though ill-advised. Either don't do so, or open a Finder window, press cmd+J to open the Finder View Options panel, and choose to hide your Library folder. That does not prevent the first paragraph application behavior, but any application's open panel will simply not see the Library folder.