GeminiDesktop GeminiDesktop
Guides

Why Gemini for Mac Isn't on the App Store — and Why That Matters for Your Security

Published · By GeminiDesktop Team

On April 15, 2026, Google released Gemini for Mac – its first native desktop AI assistant for macOS. The app is a full-featured client built in Swift, offering access to Gemini 3 Flash, Pro, and Ultra models directly from your Mac. By most accounts, it is a capable product.

But there is one decision that should give every security-conscious user pause: Google chose to distribute Gemini for Mac as a direct DMG download from gemini.google/mac, completely bypassing the Mac App Store.

This is not a minor distribution detail. It is a fundamental architectural choice that affects what the app can do on your system, what protections you lose, and how much you need to trust Google’s intentions. In this post, we break down exactly what this means for your security and privacy, compare Google’s approach with its competitors, and outline what you can do to protect yourself.

What the Mac App Store Actually Protects You From

To understand why DMG-only distribution matters, you first need to understand what the Mac App Store provides beyond convenience. Apple’s App Store is not just a storefront – it is a security infrastructure layer.

Sandboxing

Every app distributed through the Mac App Store is required to run inside Apple’s App Sandbox. This is a kernel-level containment mechanism that restricts what the app can access on your system. A sandboxed app cannot read files outside its own container without explicit user permission through system file dialogs. It cannot access other applications’ data. It cannot monitor system-wide input events. It cannot inject code into other processes.

When you install an app from the Mac App Store, you know – by technical enforcement, not by trust – that the app is constrained in what it can do.

Apple Review

Every Mac App Store submission goes through Apple’s review process. Reviewers check for malware, verify that the app does what it claims, ensure it follows Apple’s Human Interface Guidelines, and validate that it does not use private APIs or engage in deceptive behavior. Is the review process perfect? No. But it is a second pair of eyes that catches obvious problems.

Automatic Updates with Rollback

App Store apps receive updates through Apple’s managed update system, which includes code signing verification and the ability to roll back problematic updates. DMG-distributed apps handle their own update mechanisms, which may or may not be equally robust.

Notarization vs. App Store Review

It is important to note that Google’s Gemini DMG is notarized by Apple – meaning Apple has scanned it for known malware and issued a ticket confirming it is not obviously malicious. But notarization is a much lower bar than App Store review. Notarization checks for malware signatures and basic code signing validity. It does not evaluate the app’s behavior, its data collection practices, or its permission usage. Think of notarization as a metal detector at an airport – it catches guns, but it does not catch bad intentions.

The Gatekeeper Warning: Your First Red Flag

When you download and open Gemini for Mac for the first time, macOS displays a Gatekeeper warning. The exact wording varies depending on your macOS version and security settings, but it will be some variation of a dialog asking you to confirm that you want to open an application downloaded from the internet.

For users who have set their Security and Privacy preferences to “App Store only” (the most restrictive setting), they will need to manually override this protection in System Settings to install Gemini at all. This is not inherently malicious – many legitimate apps are distributed outside the App Store – but it does require users to actively lower their security posture to use Google’s product.

Compare this with ChatGPT Desktop and Claude Desktop, both of which are available on the Mac App Store. Installing either of those apps requires zero security overrides. You click “Get,” enter your Apple ID password or use Touch ID, and the app installs inside its sandbox. No warnings, no manual permission grants, no trust decisions beyond “I trust the Mac App Store.”

Accessibility Permission: The Most Powerful Permission on macOS

Here is where things get genuinely concerning. Gemini for Mac requests Accessibility permission – and not just as an optional enhancement. To use the app’s full browser page reading capabilities, you must manually navigate to System Settings, then Privacy and Security, then Accessibility, and grant Gemini access.

Most users do this without thinking twice. They should think carefully.

What Accessibility Permission Actually Grants

Accessibility permission on macOS is not just about making apps work with screen readers. It is one of the most powerful permission categories in the entire operating system. When you grant an app Accessibility access, you are giving it the ability to:

Read the contents of any window on your screen. Not just its own windows – any application’s windows. This means Gemini can read your email, your banking tabs, your medical records, your private messages, and anything else currently displayed on your Mac.

Monitor keyboard input system-wide. An app with Accessibility permission can observe every keystroke you type, in any application. This is exactly the same technical capability used by keyloggers. We are not suggesting Google is running a keylogger – but the permission they are requesting would technically allow it.

Interact with UI elements in other applications. Accessibility permission allows an app to click buttons, read form fields, and navigate menus in other apps. This is useful for automation, but it also means the app has the technical ability to perform actions on your behalf without your knowledge.

Read the accessibility tree of any running application. This provides structured access to the content and state of every visible UI element across the system.

Why Google Needs This Permission

Google states that Accessibility permission is required for Gemini’s “Desktop Intelligence” feature – the ability to read and understand the content of web pages and other applications on your screen. This is a genuinely useful feature: you can ask Gemini about something you are looking at without having to copy and paste it.

But the gap between “what the feature needs” and “what the permission grants” is enormous. Gemini needs to read visible page content. The permission it requests allows it to read everything, monitor all input, and interact with all UI elements. There is no way to scope Accessibility permission to “just reading browser tabs” – it is all or nothing.

The App Store Difference

This is precisely why the App Store distribution model matters. A sandboxed Mac App Store app cannot request Accessibility permission at all. Apple’s sandbox explicitly prevents it. If Google had distributed Gemini through the Mac App Store, the app would have had to find alternative ways to provide screen reading functionality – ways that respect the sandbox boundary and do not require system-wide input monitoring capabilities.

By choosing DMG distribution, Google sidesteps this constraint entirely.

What Google Collects: A Data Inventory

Google’s Gemini Privacy Hub outlines what data is collected when you use Gemini. Here is a structured breakdown:

Data Category What Is Collected Retention User Control
Prompts and conversations Full text of your prompts and Gemini’s responses 18 months (default auto-delete) Can be reduced to 3 months or deleted manually
Generated content Images, code, and other outputs created during sessions Tied to conversation retention Deleted with conversation
Device information Device type, OS version, app version, hardware identifiers Standard Google retention Limited opt-out
Location information IP-derived location, potentially GPS if granted Standard Google retention Can be disabled in Google account settings
Subscription information Payment method, plan type, billing history Duration of account Account deletion
Usage analytics Feature usage patterns, session duration, error logs Standard Google retention Limited opt-out
Feedback data Thumbs up/down, reported issues Indefinite Can delete individual feedback

The 18-Month Default

The default retention period for conversations is 18 months. This means that every prompt you type into Gemini – including prompts that reference sensitive content visible on your screen via Accessibility permission – is stored on Google’s servers for a year and a half before being automatically deleted.

You can reduce this to 3 months in your Google account settings, or you can manually delete conversations. But the default is 18 months, and most users never change defaults.

Training Data Usage

Google states that conversations with Gemini may be reviewed by human annotators and used to improve Gemini models. You can opt out of this in your settings, but again, the default is opt-in. This means that by default, a human at Google (or a contractor) may read your conversations with Gemini – including conversations that reference content Gemini read from your screen.

Distribution Comparison: Gemini vs. ChatGPT vs. Claude

The contrast between Google’s approach and its competitors is stark.

Dimension Gemini for Mac ChatGPT Desktop Claude Desktop
Distribution DMG from gemini.google/mac Mac App Store Mac App Store
Sandboxed No Yes Yes
Apple Review Notarization only Full App Store review Full App Store review
Accessibility Permission Required for full features Not required Not required
Gatekeeper Warning Yes No No
Auto-Update Self-managed Apple-managed Apple-managed
Enterprise MDM Manual deployment App Store MDM support App Store MDM support
Data Retention Default 18 months 30 days (API) / varies 90 days

ChatGPT Desktop and Claude Desktop both chose to accept the constraints of the Mac App Store in exchange for the trust and security benefits it provides. Both apps run inside Apple’s sandbox. Neither requires Accessibility permission. Both receive Apple-managed updates.

Google chose the opposite path. Gemini for Mac runs outside the sandbox, requires the most powerful system permission on macOS, manages its own updates, and stores your data for 18 months by default.

This does not necessarily mean Google has malicious intent. There are legitimate technical reasons to distribute outside the App Store – particularly for apps that need deep system integration. But the trade-off is that users must place significantly more trust in Google than they need to place in OpenAI or Anthropic when using their respective desktop apps.

The Open-Source Alternative: bwendell/gemini-desktop

For users who want Gemini’s capabilities without Google’s data collection, there is an open-source alternative worth considering.

bwendell/gemini-desktop is a community-built desktop client for Gemini with 132 GitHub stars as of this writing. It is built on Electron and markets itself with “trust-first defaults” and “zero telemetry.” Because the source code is open and auditable, you can verify these claims yourself – something that is impossible with Google’s closed-source app.

The trade-off is clear: bwendell/gemini-desktop will not have the deep system integration of Google’s native Swift app, and it depends on community maintenance rather than Google’s engineering resources. But for users whose primary concern is privacy and data minimization, an open-source client with zero telemetry is a fundamentally different trust proposition than a closed-source app from the world’s largest advertising company.

Practical Recommendations for Users

If you decide to use Google’s Gemini for Mac despite these concerns, here are concrete steps to reduce your risk:

Reduce data retention. Immediately after installing, go to your Google account settings and reduce the Gemini activity auto-delete period from 18 months to 3 months. Better yet, set it to delete manually and make a habit of clearing your history.

Opt out of training data usage. In your Google account privacy settings, disable the option that allows Google to use your Gemini conversations for model improvement. This prevents human reviewers from reading your prompts.

Be selective with Accessibility permission. If you do not need Gemini to read your screen or browser tabs, do not grant Accessibility permission. The app will still function for direct conversations – you just lose the contextual screen reading feature.

Close sensitive applications. When Accessibility permission is enabled, Gemini can technically read any visible window. Before using screen-aware features, close or minimize applications containing sensitive information – banking, medical records, private communications.

Monitor permission usage. Periodically check System Settings, then Privacy and Security, then Accessibility to review which apps have this permission. Remove it from Gemini when you are not actively using the screen reading feature.

Consider the open-source alternative. If your primary use case is straightforward Gemini conversations without screen integration, bwendell/gemini-desktop provides the same model access with a transparent, auditable codebase and no telemetry.

The Bigger Picture: Why Distribution Model Matters

Google’s decision to distribute Gemini for Mac outside the App Store is not just a one-off product choice – it reflects a broader tension in the AI industry between capability and constraint.

Apple’s App Store sandbox was designed for a world where applications were self-contained. AI assistants that need to understand your full desktop context – reading screens, understanding workflows, integrating with other apps – push against these boundaries. Google’s response was to sidestep the sandbox entirely. Anthropic and OpenAI found ways to work within it, accepting some feature limitations in exchange for stronger security guarantees.

As AI desktop apps become more powerful and more deeply integrated with our operating systems, the question of how they are distributed – and what system permissions they require – will become one of the most important security decisions users make. The difference between “this app can read my current browser tab” and “this app can read everything on my screen and log every keystroke” is not a minor technical detail. It is a fundamental question about how much of your digital life you are willing to expose.

Choose accordingly.

A Better Way to Use Gemini on Your Desktop

The security concerns outlined in this post are real, but they are not inherent to using Gemini on your desktop – they are specific to Google’s distribution and permission choices.

GeminiDesktop.app takes a different approach. We are building a native macOS Gemini client that prioritizes user trust: transparent permission usage, minimal data collection, and architecture designed around the principle that your desktop context should stay on your desktop unless you explicitly choose to share it.

If you want access to Gemini’s frontier models through a desktop app that respects your security boundaries, try the beta at geminidesktop.app/app.

References