diff --git a/Sources/SWBCore/SpecImplementations/Tools/ProductPackaging.swift b/Sources/SWBCore/SpecImplementations/Tools/ProductPackaging.swift
index 0c095dbf..724d47a0 100644
--- a/Sources/SWBCore/SpecImplementations/Tools/ProductPackaging.swift
+++ b/Sources/SWBCore/SpecImplementations/Tools/ProductPackaging.swift
@@ -124,18 +124,26 @@ public final class ProductPackagingToolSpec : GenericCommandLineToolSpec, SpecId
                     // This is only supported when App Sandbox or Hardened Runtime is enabled.
                     for (buildSetting, entitlementPrefix) in Self.sandboxFileAccessSettingsAndEntitlements {
                         let fileAccessValue = cbc.scope.evaluate(buildSetting)
+                        let correspondingEntitlementKey: String?
+
                         switch fileAccessValue {
                         case .readOnly:
-                            entitlementsDictionary["\(entitlementPrefix).read-only"] = .plBool(true)
+                            correspondingEntitlementKey = "\(entitlementPrefix).read-only"
                         case .readWrite:
-                            entitlementsDictionary["\(entitlementPrefix).read-write"] = .plBool(true)
+                            correspondingEntitlementKey = "\(entitlementPrefix).read-write"
                         case .none:
-                            break
+                            correspondingEntitlementKey = nil
+                        }
+
+                        // The entitlements file is the ultimate authority, so if this is already configured there the build system should respect that.
+                        if let correspondingEntitlementKey, entitlementsDictionary[correspondingEntitlementKey] == nil {
+                            entitlementsDictionary[correspondingEntitlementKey] = .plBool(true)
                         }
                     }
 
                     for (buildSetting, entitlement) in Self.sandboxAndHardenedRuntimeBooleanEntitlements {
-                        if cbc.scope.evaluate(buildSetting) {
+                        // The entitlements file is the ultimate authority, so if this is already configured there the build system should respect that.
+                        if cbc.scope.evaluate(buildSetting) && entitlementsDictionary[entitlement] == nil {
                             entitlementsDictionary[entitlement] = .plBool(true)
                         }
                     }
diff --git a/Tests/SWBBuildSystemTests/EntitlementsBuildOperationTests.swift b/Tests/SWBBuildSystemTests/EntitlementsBuildOperationTests.swift
index b3e808f0..45865925 100644
--- a/Tests/SWBBuildSystemTests/EntitlementsBuildOperationTests.swift
+++ b/Tests/SWBBuildSystemTests/EntitlementsBuildOperationTests.swift
@@ -388,7 +388,7 @@ fileprivate struct EntitlementsBuildOperationTests: CoreBasedTests {
                     "com.apple.security.cs.debugger": "1",
                     "com.apple.security.cs.disable-executable-page-protection": "1",
                     "com.apple.security.cs.disable-library-validation": "1",
-                    "com.apple.security.device.audio-input": "1",
+                    "com.apple.security.device.audio-input": "0",
                     "com.apple.security.device.bluetooth": "1",
                     "com.apple.security.personal-information.calendars": "1",
                     "com.apple.security.device.camera": "1",
@@ -398,7 +398,7 @@ fileprivate struct EntitlementsBuildOperationTests: CoreBasedTests {
                     "com.apple.security.files.downloads.read-write": "1",
                     "com.apple.security.assets.pictures.read-only": "1",
                     "com.apple.security.assets.music.read-write": "1",
-                    "com.apple.security.assets.movies.read-only": "1",
+                    "com.apple.security.assets.movies.read-only": "0",
                     "com.apple.security.network.client": "1",
                     "com.apple.security.network.server": "1",
                 ],