having the ability to sniff passwords/keys/monitor sudo access/etc etc.
All these things quantify as serious issues were you might as well just give them root immediately. Sure there is a practical difference; Maybe somebody has enough intelligence to run a prepared script to exploit a capability-privilaged binary, but not enough smarts enough to know what to do with the ability to ptrace a shell account or whatever... so you _might_ be better off. Maybe not. Maybe you'll win the lottery, too. Maybe nobody will notice that your SMTP server is misconfigured to be a open relay.
But from the perspective of having to actually secure a system it really does not matter.
The difference of a few cycles to get UID0 to a few days to sniff root password is not really a big deal when faced with a exploitable vulnerability.