Something like Little Snitch can protect against something POSTing your key vault or other sensitive data somewhere. SSH/GPG keys can be put on a token, but what else can you do besides running everything on docker or in a VM and having to pay the performance overhead?
It would be nice if it was possible to run a space as a different “sub user” with no permission on the master user’s files (maybe done via screen sharing to localhost?) and/or being able to assign folder/file access permission on a whitelist/blacklist basis per process for example.
I personally have ended up separating all my documents and important browsing (banking etc) to a separate computer I ONLY use for that (with separate browser profiles too, I wish you could run firejail on Mac btw), but it would be nice if there was a way to improve the situation for cases where that is not possible.