The MacOS app store has some sandboxing. For example, applications installed from the store can't access any file or directory unless a user has selected it in a file dialog. (The app can hold onto a ticket for later access.) I've installed Slack from the app store for this reason.
I've installed Slack on macOS using Nix. That way, the installer's sha256 is checked, and its attempts at self-modification (updating) are thwarted by /nix/store being a read-only filesystem.
I think MacOS has some protection even for manually installed apps. I downloaded iTerm2 as a .pkg and installed it manually into Applications, but the first time I typed `cd Downloads` I got an OS-level popup asking if I wanted to grant iTerm2 access to my downloads folder.
