What you have here is more like quite a big security research topic than a programming question ofc.

Briefly, you can't do the thing 100% on mac in a usable way, because the whole idea behind Apple marketing thing is user privacy, which can be broken and sold only by Apple and to Apple, not some 3rd-party apps.

Why remark about usable way? You can for sure write a kext, hook into all sort of things and monitor all sorts of APIs, but you should keep your SIP disabled then, and it is reasonably hard to make your users to do that.

Some parts of what you desire could still be done with SIP on: macOS keeps some source info in xattr of downloaded files(via browsers), ESF could correlate them with processes, with NetworkExtension you could do MitM and parse traffic to find possible uploads/downloads, etc. You may create a list of supported well-known apps, inspect what specific sequence of file/other events leads for each app to your high-level operations of interest, and detect it.

This will work in a way, it will fail some times, probably a lot, nothing new for a macOS 3rd-party security projects world.

However, the whole thing makes a little sense, because some app can for example request some data, hen keep it in memory without writing it on disk, then add another part of data on its own to the requested, wait for a hour making changes still in memory, then save the result on disk. But wait, not just writing to a new file, but adding to some existing one, which was created without internet. Well, but then (after a while), removing the content, that was not requested from web. And adding another pre-generated brick of data in the end. Is it a downloaded file or what? :)

If I open the text file and copy all its content (or all symbols except last one-two-ten) to pasteboard, then paste it in input field on a website - am I doing a file upload or not?

So maybe what you need here is to reconsider the goal in business terms, and return to it in tech terms then.