Thanks to Alex Gaynor from Mozilla for pointing this out. macOS 10.13 has additional enforcement policies that we should investigate:

(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)


Note that if we use deny file-map-executable, we need an allow file-map-executable for the component flash location.