Token Selection from DeviceActivityReport

I'd like to allow users to select apps to shield from a DeviceActivityReport (similar to how Apple's Screen Time Settings activity report allows a user to "add limits" to a selected app in the report.

What I need to do is pass an appToken from the DeviceActivityReportExtension to my app.

I realize the extension is sandboxed and doesn't allow "private" data to be seen outside of the sandbox. The docs state:

To protect the user’s privacy, your extension runs in a sandbox. This sandbox prevents your extension from making network requests or moving sensitive content outside the extension’s address space.

However, tokens aren't "sensitive".

I want to pass a token set out of the sandboxed extension so users can select certain apps from the report that my app can use for setting limits, etc.

I thought using App Groups and saving data with UserDefaults with a suiteName for my app group would do it, but it doesn't appear to allow me to pass the token data.

Yes I'm using the same KEY for both as I set a config enum to ensure it's the same and I can pass tokens successfully between other extensions/apps in the app group, but not the report extension.

It seems the app and the extension have their own stores as the report extension can write to and read from a store but despite being the same suiteName, other apps in the app group don't get or send data to the Report Extension. I realize this is probably due to the design with the sandbox to protect user privacy, however it seems an exception should be made for passing tokens (or even better allow passing through another method like a callback, etc).

Is there ay way to accomplish passing a token from the sandboxed report extension to my app?

Token Selection from DeviceActivityReport
 
 
Q