As you discovered, managedSettings.shield.applicationCategories = .all() shields most but not all apps. Messages can be shielded using .all however you need to remove it from "Always Allowed" in System Settings/Screen Time. Also what's interesting behavior is if an app is in Always Allowed, it will never be shielded using a category shield. However, if the app is directly selected and shielded, then regardless of it being in the Always Allowed, it can be shielded. Programmatically selecting apps to shield isn't currently an option as tokens are only generated when apps are selected in the picker. Apple should allow developers to add apps to shield via their bundleID while still keeping privacy. The API would just silently fail for any apps not installed on a device so a developer could just have a list of ID's to shield for a given situations in their apps. Also want this for categories so we could shield all games without users having to pick "games" in the picker. I've filed enhancement requests with feedback assistant about giving more functionality in shielding all, adding apps programmatically, etc. I recommend you do so too so that Apple gives developers more control over all of this.

This morning on Apple's Git hub for cloudkit-privateddb-sync was updated with a fix for this problem. "CKRecorddoes not yet conform toSendable`, so to avoid it crossing the actor boundary we pull out what we need from changed/new records before." see changes here: https://github.com/apple/sample-cloudkit-privatedb-sync/commit/b00e00e57c879690af6654c59982d073b5d29de1 I'm hoping that cloud kit-sharing will be updated with similar fixes soon.