Splitting privileges that are each equal to root into their own capability doesn't seem to achieve much, at least from a security point of view. Forty capabilities that are root equivalent isn't better than ten, or indeed one.
So it seems the main target should be those privileges or groups of privileges controlled by CAP_SYS_ADMIN which, after thorough examination, are useful separately without being root-equivalent in common systems. These could be given a new capability bit or added to an appropriate existing one.
Doing that "thorough examination" first is necessary I think, particularly for capabilities that already exist. Mistakenly adding some root-equivalent privilege to a capability because it "looked appropriate" superficially would be almost as bad as accidentally removing the capability checks from something vital. Having a new privilege temporarily in the CAP_SYS_ADMIN catch-all is much less awful.
Of course as with any bug, exactly how much a capability buys you will vary from one system to another. Snooping old-fashioned telnet was usually a goldmine. Snooping SSH is much less so (but far from completely useless). On some systems reading /etc/shadow is a big coup, on others not so much (e.g. there may be nothing in there but a (hash of the) local root password which can only be used on a physical console...). For this reason I don't much like Brad's classification of some escalations as "generic" but the idea of figuring out what attackers _might_ do with a privilege is definitely something to be left to white or grey hats and not the people doing routine Linux kernel development.