In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device".

[10] The kernel refuses to boot if unsigned extensions are present, showing the user a prohibition sign instead.

For example, SIP will sanitize LD_LIBRARY_PATH and DYLD_LIBRARY_PATH before calling a system program like /bin/bash to avoid code injections into the Bash process.

To that end, Apple provides the csrutil command-line utility which can be executed from a Terminal window within the recovery system or a bootable macOS installation disk, which adds a boot argument to the device's NVRAM.

Macworld expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's mobile operating system iOS, whereupon the installation of many utilities and modifications requires jailbreaking.

[2][15] Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently.

Ars Technica suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly.