Does the Sandbox stop a static library (linked into a Safari App Extension) from opening files from a Cocoa Resource Bundle (copied into that Safari App Extension)?

App architecture

I am making a macOS Safari (native) App Extension. It's hosted by a macOS Cocoa app.

The App Extension links a static library, and also copies in a Cocoa Resource Bundle.

Aim (and expected behaviour)

The static library needs to read from this resource bundle at runtime.

For a regular macOS app (not an App Extension) that has no entitlements file (and thus, no sandboxing), I find that this file access works just fine.

The file access also works on iOS, for an app that has been accepted into the App Store. Of note, the iOS app doesn't list any Sandbox-related entitlements.

Observed behaviour

For the App Extension, when the static library tries to access the resource bundle at runtime, I receive an error upon file access.

I have no error message to share, unfortunately (I haven't worked out how to pass the error message up from the low-level C++ code in the library to the Obj-C code that abstracts it). I'll try to produce one if this issue doesn't indeed smell like a Sandbox issue, though C++ is foreign to me.

So is this definitely a Sandbox issue? Can I rule that out somehow whilst still being able to install the App Extension into Safari to test it? And if it is a Sandbox issue, is there any way I can give the static library access to the resource bundle whilst satisfying the Sandbox?

This is an initial writeup to see if the failure pattern rings any bells – I'm happy to provide an infinitely deeper level of detail if anything more needs probing.