While this question originated primarily in MacOS Catalina and its new security features, I want to know how security measures are leveled with UX options so poor in the user's vision.

Catalina's experience

Just so you understand what I mean, I have 10 Apple devices. A couple of weeks ago, with the iOS update before Catalina, everything broke down due to iTunes sync issues. I finally ended up resetting all 3 iOS devices to factory default, and I lost a lot of information, but hey ... despite the trouble, I thought it was over, so I didn't care much.

Now, after 48 hours of using Catalina, I get more and more upset. Everything (and I mean ABSOLUTELY EVERYTHING) requires permits. Sometimes, they are hidden behind active screens. As an example of HORRIBLE UX something that just happened to me: while I was sure I was capturing the screen for a client for a period of 3 hours, once I closed the active application window, I saw a notification that I had to Give permission for my iMac to capture the screen. When I checked the catches, I saw that I had 3 hours of nothing more than Catalina's welcome image.

For those who do not use Catalina, here is an example of Catalina UX (taken from this article):

In a case like this, the user's obvious behavior will be "accept, close, close, close, stop bothering me, do whatever you want", which is the definition of anti-security and an obvious UX anti-pattern.

Other systems

Of course, Catalina is not the only one, Windows had a good amount of UX nightmares. The same with banking applications, ATM user flows, 2FA that prevents users from taking an action, etc. The conclusion is that legitimate security concerns are generally overshadowed by the horrible user experience to the point that users engage in unsafe behaviors. I can confirm that this is becoming a really worrying trend after working on usability surveys for a well-known antivirus: most users hated security features and simply disabled the antivirus or ignored the warnings.

Thus, here's my question (s):

• Is there any acceptable threshold to define a compromise between security and user experience? If so, how is that threshold measured?
• Are there independent studies that show how users react to such security measures that do not favor their own experience?