Is "library-validation" implied by hardened runtime?

Couldn't figure out how to edit the post, but I forgot to mention that we don't include the com.apple.security.cs.disable-library-validation entitlement

I did a quick scan of some of the apps on my system

Just FYI, Apple apps won’t help you understand this issue because many of them are platform binaries [1] and platform binaries get library validation by default, regardless of their hardened runtime state.

does explicitly specifying library validation provide something that hardened runtime does not already?

No [2].

As long as you don’t use com.apple.security.cs.disable-library-validation to opt out of library validation, enabling the hardened runtime is all you need to do.

especially to avoid library injection when SIP is off

Have you tried to verify that claim? My understanding is that disabling SIP disables the underlying mechanism of library validation, and that takes effect regardless of how you enabled it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] THe definition of platform binary is a complex one but, as a shorthand, you can think of it as anything built in to macOS.

[2] There’s one obscure case where setting the library validation flag and the hardened runtime flag can help. Old versions of Gatekeeper had a bug (r. 57278824) where they’d fail to recognise the implicit library validation enabled by the hardened runtime, and thus would block an app unnecessarily. You could work around that bug by setting both flags. However, that didn’t increase security, it just worked around a bug that would otherwise cause your app to be blocked by Gatekeeper.

IIRC this was in the 10.15-ish timeframe, so very early in our hardened runtime journey. If your app’s deployment target is macOS 10.15.7 or later, this is most definitely not a concern.