You have have read that CheckPoint, a cyber security research company, has identified vulnerabilities that may allow an attacker to compromise your computer using malicious subtitle files downloaded by popular media players including Kodi and VLC. It's not clear if this affects macOS too, but in light of this threat, here is a summary of how I further "lockdown" any apps I'm unsure of...
First off, download the latest versions i.e. VLC 184.108.40.206+ or Kodi 17.2+. And while you're at it, read my post on how to verify your download by comparing it with VLC's published SHA-256 checksum.
If you're paranoid - like I am - these posts may be of interest to anyone trying to further "lockdown" these apps (and I use the term "lockdown" really, really loosely, because I'm in no way implying these methods are 100%, or not implying that VLC or Kodi are insecure or untrustworthy):
You could create a macOS App Sandbox - I detail out how I sandboxed Kodi and the ideas therein apply to any other App. This is a bit like Jails in BSD or Sandboxie in Windows, and can block Apps from accessing system resources, directories, shared memory, etc. However, setting this up requires deep technical knowledge of macOS and POSIX.
- Or you could create a Virtual Machine (or VM) to run your App in, with virtualization software like the open-source VirtualBox, which supports Windows or Linux Guests. I personally use the free Parallels Desktop Lite - and I wrote about how easy to install a macOS guest on a macOS host. By default, the guest cannot access the file system of your host, unless you explicity "share" a folder. However, there is a performance hit, and on my macOS VM on MacBook Air (2015), there is some stuttering when playing a Youtube video or MP4 file in QuickTime.
Neither a foolproof, both require work, and if you don't know what you are doing, then there is no security to be had no matter what. I guess for me, these are sufficient to allay my main concern of keeping my files secure (i.e. untouched by the likes of ransomware, and not "stolen" off my machine outright).