makes sense - so dyld's newer role in the security model actually expanded the attack surface, since it has to be trusted by the OS in ways dyld2 didn't. I'm curious whether Apple has tooling to catch privilege boundary issues like this during development, or if it's mostly manual review + fuzzing. feels like the kind of thing that should show up in static analysis if you're tracking trust domains