Keychain access can be limited with ACLs, enforced with code signing signatures as well on iOS and more so on macOS where the “keychain” can still be the older file based type.

There are secrets I cannot export from my system keychain without disabling SIP on my Mac.