I noticed that certain versions of macOS (back then, called OS X) would leak small ammounts of spotlight indexed data to any USB drive that was inserted into the system, even when locked. The project named spotPlight was the result of automating the extraction of this data. I found that rapidly inserting and removing up to 128 emulated USB drives at a time into macOS system using a raspberry pi, that it was possible to exfiltrate data from a locked macOS system.
A full writeup can be found here: https://fyrmassociates.com/blog/2018/12/01/macos-spotlight-data-leak/
spotPlight github repo: https://github.com/fyrm/spotplight/