Limit access for a file/folder to a given application

I was wondering if there was an equivalent (or the same, I'm not fussy :) feature available to third parties, even if only during the app-store submission ?

Somewhat. By default, your sandboxed app's Container folder is private. Other apps can request access and the user can permit it. And apps having Full Disk Access can read the data too.

To avoid the X-Y problem, what I want to do is have a launch agent with access to a SQLite database, and I want only that launch agent to have access.

You will need to be more precise here. By "access", do you mean both read and write access? You can prevent read access, but not write access.

Any reads of the database will have to be done through an XPC call from the main user-facing application.

Let me know if you ever get that working. I tried and failed to get XPC working with a sandboxed launch agent. So before you commit to that path, make sure you can make it work, or have a backup plan.

I want to store private data into that database, and I don't want there to be any way for any other application to read it. If there's a way to do that without data-vaults I'm all ears :)

You can always encrypt the data. That will block reading, but not writing. With checksums, you could detect tampering. But you probably couldn't detect outright erasure of the database.

Perhaps this would be a good point to ask what your ultimate goal is with this? When you put your software out onto someone else's computer, you lose a lot of control. That's just the way it is.

If you worry too much about security, and do something silly like take advice from the internet to encrypt your databases, then you're setting yourself up for a whole lot of headaches.

The goal here is to support end-to-end encryption of messages between devices. There's not much point in having E2E encryption if anything can just read the content locally :) - even if the user has to specify they can do it. Social engineering is something of an art form these days...

I could encrypt the data, but then the question becomes 'where do you keep the master encryption key'. For a launch-agent to be the gatekeeper, I don't really want the user to have to type in a password before it can read its data, neither do I want it to be dependent on network access to pull a key down from secure storage in the cloud. If the encryption key is stored in the keychain, then anything can access that key, so ...

It's just sort of frustrating to know that it can be done based on an entitlement (for example: Mail.app does exactly this) but it's not available to mere mortals ...

Thanks for the hint on the XPC/sandboxing - I'll check that out. I thought I'd done XPC with a sandboxed app before, but that was a few years ago, and things do change...