I absolutely loathe the capabilities. Their current implementation is braindead and their pushers should be put up against the wall and shot.
First, in the good old times I could just look at an executable and see if it's a setuid executable. Which means "it may be dangerous, beware".
Right now we have tons of capabilities with quite a lot of them equivalent to root access, which are hidden away in extended attributes. And people somehow think it's a GOOD thing.
Then there's a question of braindead el-dumbo capability inheritance. I have not been able after literally hours of trying to grant my Java program access to restricted ports. Should be easy, right? There definitely should be a program which you can run as root, and which will drop excessive capabilities and set uid to another user. Right? Well, think again.