Consider a scenario: There are two iOS apps, App1: com.example.app1 App2: com.example.app2
App1 has no keychain access groups, other than its default group that is <TeamID>.com.example.app1 However, App2 has keychain access groups added which is bundle identifier of App1 i.e. <TeamId>.com.example.app1, So App2 access groups are as follows: [<TeamId>.com.example.app1, <TeamID>.com.example.app2]
This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group.
But, Apple’s Developer documentation says otherwise.
Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps
In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”.
Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.