- accidental exposure of local services
- unexpected persistence changes
- suspicious process execution
- unauthorized or unexpected use after idle periods
- visibility gaps in the monitor itself
- evidence loss through premature cleanup
- no retaliation
- no exploitation
- no credential theft
- no hidden persistence
- no stealthy self-repair
- no browser history inspection
- no malware removal claims
- local findings database
- monitor event history
- investigation notes
- exported reports
- evidence snapshots
- Apple Exposure Assessment cache
- unintentional operator error
- overactive or broken detectors
- user-session blind spots
- local malware or tampering
- broken deployment state
- stale database or runtime mismatches
- preserve evidence
- reduce false confidence
- avoid popup storms
- keep all state local
- make alerts explainable