This is detailed in the post, but the security feature i.e. preventing injected libraries access to entitlements isn't actually bypassed here. Rather the binary is run without these entitlements (which aren't required anyway for mirrord's use case).