> SIP means not messing with the system files, enumerated thusly: /System.

...and all its children, which is effectively the entire operating system

> Enumerating what I do want an app to access is handled by Gatekeeper.

Gatekeeper is not capable of this.

It's among the things Gatekeeper does, isn't it? As configured with PPPC?

It's actually a larger list available in /System/Library/Sandbox/rootless.conf