> He is also assuming that the attacker has full control under whatever privileges the daemon has.
That is the point.
The idea behind capabilities is that you can reduce the exploit potential of bugs in otherwise setuid programs. Both Fedora and Ubuntu are expressing interest in eliminating their set of 'setuid by default' programs and replacing it with capabilities system for that expressed purpose.
The theory is that if you get rid of setuid privileges and use capabilities instead then if programs end up having a bug then you won't be handing over full root access.
Spender was pointing out that out of 20 of 35 capabilities offered by the Linux kernel provide little security benefit over just making the binaries 'setuid root' since those capabilities alone are enough to gain full root access. (remember that probably 15 capabilities are relatively safe to delegate and provide advantages over just using setuid root permissions)
The idea is that there remains quite a lot of work to hardening those capabilities to make them safe for their expressed purpose, if that is even possible. (apparently capabilities with PAX can solve most of the issues)
It is important that as administrators that everybody has a good understanding of what is a 'safe' capability versus potential vulnerabilities you may be opening yourself up to if you use them.