From the beginning, TCC has been a house of cards. It only impedes legitimate developers and tortures users with permission prompts that Apple ridiculed back in the day, while malicious apps can easily bypass the "security" (theater) in countless ways that researchers continue to uncover and report. I'm not a professional security researcher, just a Mac developer, but I've discovered a number of bypasses myself. It's almost as if Apple engineers don't even understand the technology they're using. And maybe they don't! How many remain from the pre-iPhone era?
The continuous incorporation of basic system features into TCC has drastically increased the friction of deploying enterprise management software on Macs (especially for education), to the point where I would question the overall value proposition.
I say this as a dedicated macOS (Cocoa) developer since 2003.