Relying on pid to validate IPC peer is unsafe.
Applying web security tricks to macOS LPE bugs.
TOCTOU bug in CoreFoundation and state change of sandbox lockdown on macOS Safari, leading to easy sandbox escape.
Code signature bypass and insecure sideloading gives root.
The private API design of XPC could make it hard for 3rd-party developers to write security code.
Get some real life 0day by playing CTF challenges.