@pid_eins, I read all thread and I see 3 main points:
* complicated configuration;
* no way to acquire privileges temporarily;
* hard to get the clean environment during a privileged operation;

We are leaving the first point aside (it's about trade-offs). And for the rest two, it's better to allow the kernel to manage privilege acquiring (e.g. by forwarding requests to systemd via a new kernel mechanism) and to create a clean environment during these operations. Am I still missing something?