Your concerns are valid but they don't answer why I get the error that ffmpeg does not exist, even though I can obviously read its contents. At this point I'm just trying to understand how the sandbox works.

Thanks, indeed I get access failed. However I do get access OK and a successful execution when I open e.g. /usr/bin/uname instead. Why is there a difference and how can I grant access to execute a user selected binary?

I see, so basically there is no way to give access to run an external binary from a sandboxed app? (unless it happens to be in one of the system dirs that have an exception). And if that is the case, can even what Etresoft suggested ever work? Is there a path that a binary could be downloaded that can then be executed? It would seem that this is not possible, otherwise I could just copy the binary from /usr/local/bin there. That would mean that any GPL tool is completely off limits for a sandboxed app (unless the app itself is GPL), which is unfortunate.

Thank you eskimo and Etresoft for your helpful replies. I think you both verify that there is no way to let a user select a binary to run from inside a sandboxed app. The same from any binary downloaded from the internet. The only possible solution would be to bundle it inside the app, which would forbid the use of any GPL tool (either on App Store, or anywhere else really). This is a shame, I'll try to find a different solution. Thank you for your time.