System Integrity Protection (SIP)
While “rootless” was mostly marketing, SIP actually hardened the Mac by preventing modifications to the following locations:
All apps preinstalled by Apple
The exceptions to the rule are apps or processes that have been signed by Apple and have a special entitlement to write to system files. This includes Apple installers and Apple software update services.
SIP is effective at stopping system locations from being written to by third-party apps and services. Only Apple-signed system processes can write to system locations.
This will find all files (not symlinks) with the executable bit set:
find . -perm +111 -type f
This will also find symlinks (which are often equally important)
find . -perm +111 -type f -or -type l