In MacOS Big Sur, I figured out an app (downloaded from internet) normally can not access ~/Downloads/, ~/Documents/, ~/Desktop/ folders directly. When it tries to access those folders at the first time, there will be a popup window to ask for permission and the permission can be setup in System Preferences > Security & Privacy > Privacy > Files and Folders.
Edited: It seems my bad description makes people confused (sorry about my English). I will put two screenshots here to clarify what I mean:
The above screenshot appears when the app iTerm2 tries to access ~/Downloads folder at the first time in Big Sur. (basically when I execute ls ~/Downloads/ commands in iTerm2)
The above screenshot is where I can change the folders privacy setup.
But, today, I downloaded an app (it's a downloading tool) and installed it by dragging it to /Applications folder. (the same way I installed iTerm2) I tried to use that tool to download a file to ~/Downloads folder and the file can be downloaded and written to ~/Downloads folder directly without any permission requirement. It can also display/read all the files in the ~/Downloads folder. I checked the Privacy setup in System Preferences and it does NOT have that app setup too.
I am very confused how can that app read/write the file to ~/Downloads without requiring a privacy permission on the protected folder. I thought those protected folders were protected and were not allowed to be read/write before granting privacy permission. But I was wrong.
(Note that, later I found out Google Chrome App can read/write those protected folders too without asking this privacy permission. File > Open File > Choose any files inside the three protected folders)
PS1: I haven't mentioned the "downloading tool app" name here because that is a non-English app. If anyone consider I should give the name to get a better help, just let me know. Thanks.
PS2: This is a fresh install of MacOS Big Sur. (Not a upgraded system)
PS3: The "downloading tool app" is a GUI app. (NOT a CML app).
PS4: I just find out the Google Chrome.app downloaded from https://chrome.google.com can write to (save file to) ~/Downloads/ folder directly without requiring any privacy permission too. This is weird. Why does iTerm, Code and VLC require privacy permission to do any read/write to those protected folders but google chrome does NOT need to require anything.
Best Answer
I’m not sure I fully follow all the PS, but when you download the tool in the first place and execute or move the file, you are granting entitlements for the download folder and clearing the quarantine flags on the app signaling that the app can run.
Apple designed this to warn people when they didn’t intentionally run an app so the friction is for unintentional downloads is how I interpret why Apple designed it thusly.
You may need a session with someone to pick apart every step and evaluate each program closely to get a specific answer, but generally downloaded apps behave differently than ones the App Store installs with respect to sandbox and entitlement warnings.