System Integrity Protection, DataVaults, and entitlements
While investigating my Mac issues over the past couple weeks, I keep running into directories that I mysteriously can’t access, even using sudo.
Tonight I found out why. Apple has implemented something called SIP, System Integrity Protection, which restricts access to various things.
And it turns out that in the latest version of macOS, Mojave, SIP now applies to some parts of the user directory. For more info, including some info about DataVaults and entitlements, see the answer to a StackExchange question.
For more about entitlements, see an Apple developer document, though that document is no longer being updated and so may be out of date.