He is also assuming that the attacker has full control under whatever privileges the daemon has.
If, for instance, the daemon has a bug which allows you to write to an arbitrary path, and it does not have DAC_OVERRIDE and is not running as root, you cannot use that directly to for instance overwrite /etc/shadow. Instead, you have to first find another bug in the daemon (perhaps first writing to some file it will read and misinterpret) to be able to execute arbitrary code under the daemon's privileges. Only then you can exploit the capabilities as he described.
To explain in another way: you have a barrier (the daemon itself) which should pass nothing but accidentally lets pass B and D. The capabilities the daemon has allow it to do A and C. Unless you can own the daemon (thus being able to do anything it can do), you cannot pass the combined barrier, unless the holes happened to align (both the daemon and its capabilities allowed you to do E, for instance).