What is the iOS system photo picker?

It is a system-provided interface that lets the user select photos and returns only the chosen items to your app, without granting any library-access permission. Because the picker runs as part of the system and your app receives just the picked photos, you never see the rest of the library and there is no library permission prompt. It is the most private way to let a user choose photos and the recommended approach for the common case where you simply need one or more images, since your app never gains access to the whole library at all.

What is Limited Access to the photo library?

It is an option the user can choose when an app requests photo library access: instead of granting access to the entire library, they select specific photos to share, and the app sees only that subset. So even with a granted permission, your app does not necessarily see everything. Limited Access exists so an app needing library access does not have to expose the whole collection, and a well-behaved app supports it gracefully, working with the shared subset rather than pressuring the user to grant full access to everything in their library.

Why not just request full photo library access?

Because the library is one of the most sensitive resources on the device, containing a person's most private images and metadata, so requesting full access when you only need the user to pick a photo is over-permissioning that users and the App Privacy Report notice and that you then must justify and protect. The most private design is to use the system picker and request no access at all, since data you never access cannot be misused or exposed in a breach. Reserve full access for apps that genuinely need to browse or manage the whole library.

What is add-only photo access?

It is an access level for apps that only need to save photos to the library, not read from it. Add-only access grants the ability to write images without the ability to read the user's existing photos, which is the right least-privilege choice for an app whose only photo interaction is saving its own output. Requesting full read-write access when you only save photos takes read access you do not need, exposing the user's library unnecessarily. Matching the access level to what your feature actually does, here add-only, keeps your app's footprint minimal.

iOS limited photo library access

When your app needs a photo from the user, the instinct is to request photo library access and read what you need. iOS offers a much better path for privacy: a system picker that lets the user choose photos without granting your app any library access at all, so you receive only the items they picked and never see the rest. And when you genuinely need library access, the user can grant access to just a selection rather than everything. Requesting full access when you only need a couple of photos is over-permissioning, the kind of thing the App Privacy Report and reviewers notice. Here is how iOS photo access works and how to take only what you need.

Short answer

iOS lets apps access photos with least privilege rather than always requesting the full library. Per Apple, the system photo picker lets the user select photos without granting any library-access permission, so your app receives only the chosen items and never sees the whole library, which is the recommended approach for most apps. When an app does request library access, the user can choose Limited Access and pick the specific photos the app may see, and an app that only saves photos can request add-only access. The principle is to use the picker when you just need the user to choose photos, support limited access gracefully when you need broader access, and request only the access level your feature requires.

What you should know

The system photo picker needs no library permission: you get only chosen items.
It is the recommended path for most apps: minimal and private by design.
Users can grant Limited Access: selecting specific photos, not all.
Add-only access exists: for apps that only save photos.
Request only the access your feature needs: avoid full access by default.

How do the photo access options compare?

By how much of the library your app actually sees. The table contrasts them.

Option	What your app gets
System photo picker	Only the items the user picks; no library permission
Limited Access	Only the specific photos the user selects to share
Full Access	The entire photo library
Add-only access	Permission to save photos, not read them

The options differ sharply in how much they expose. The system photo picker is the most private: the user picks photos in a system-provided interface, and your app receives just those items, with no permission prompt for library access and no ability to see anything else, which suits the common case where you simply need the user to choose one or more photos. Limited Access applies when your app requests library access and the user chooses to share only specific photos, so even with a granted permission your app sees a user-selected subset rather than everything. Full Access exposes the entire library and should be reserved for apps that genuinely need to browse or manage the whole collection. Add-only access is for apps that only need to save photos, granting the ability to write without the ability to read. Choosing the narrowest option that fits your feature is the whole game.

Why prefer the picker and limited access?

Because they minimize what your app can see, which is both better privacy and less risk for you. The most private design is to never request library access at all and use the system picker, since data you never have access to cannot be misused, exposed in a breach, or appear as a concern in the App Privacy Report. Full photo library access is broad and sensitive, the library can contain a person's most private images and metadata, so requesting it when you only need the user to pick a photo is over-permissioning that users and reviewers notice, and that you then have to justify and protect. Limited Access exists precisely so that an app needing library access does not have to see the whole library, and a well-behaved app supports it gracefully rather than nagging the user to grant full access. Requesting add-only when you only save photos similarly avoids taking read access you do not need. The theme is least privilege applied to a highly sensitive resource: take the narrowest access that does the job, and prefer no access at all via the picker.

How do you access photos with least privilege?

Match the access level to what your feature actually does. If you need the user to choose one or more photos, use the system picker and request no library access, which covers a large share of apps and is the most private option. If you genuinely need broader access, to browse or manage the library, request it, but support Limited Access properly: handle the case where the user shares only a selection, work with that subset, and do not pressure the user toward full access or break when they choose limited. If your app only saves images, request add-only access rather than full read-write access. Whatever level you use, write a clear purpose string explaining why, and keep your actual usage consistent with what you requested and with your privacy disclosures. Treat any photos you do receive as sensitive data, handling and storing them accordingly. The principle is to start from the picker, step up only as far as your feature requires, and support the user's choice to share less, so your app holds the minimum of a sensitive resource.

What to watch out for

The first trap is requesting full library access when the system picker would do, which is over-permissioning of a sensitive resource that users and the App Privacy Report surface; use the picker. The second is not supporting Limited Access gracefully, pressuring users for full access or mishandling a shared subset. The third is requesting read access when add-only would suffice for an app that only saves photos. Photo access is configured in your app and its purpose strings, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled IPA against OWASP MASVS, surfaces the permissions your app requests and its privacy posture, helping you confirm you are not requesting more photo access than you need.

What to take away

iOS lets apps access photos with least privilege: the system picker returns only chosen items with no library permission, and Limited Access lets users share a selected subset.
Prefer the system picker when you just need the user to choose photos, since data you never access cannot be misused, and full library access is broad, sensitive, and noticed when unjustified.
Support Limited Access gracefully when you need broader access, request add-only when you only save photos, and write clear purpose strings consistent with your usage.
Use a pre-submission scan such as PTKD.com to surface the photo access your app requests and confirm it matches what your feature needs.