Whether writes to @path are permitted for this sandbox profile. Must match build_bubble_args (bind / overlay / tmpfs / dev-bind).
absolute path from NOTIFY (caller must not pass raw tool strings to re-tokenize)