GNU Guix sports functional package management

System .so files *cannot* be updated, because of the design of Nix/Guix. (Well, unless you're root and manually break things, obviously.) /etc/ld.so.cache is not used because it's an impurity. I believe NixOS/Guix uses rpath (runpath) in binaries rather than having a global library search path. (e.g. see http://nixos.org/patchelf.html )

"[Unprivileged?] users cannot install setuid binaries." - http://nixos.org/nixos/ . (Also, Openwall GNU/*/Linux has made a working system with no suid/sgid/fscaps binaries at all. I hope everyone goes this way eventually.)

Yes, it's a can of worms; these people opened the can and killed all the worms. After all, these worms threatened purity even without unprivileged package installation. Consider: If you (sysadmin) left an old, vulnerable 'sudo' installed? System security depends on whether you garbage-collect it![*] But if the filesystem cannot grant capabilities, and if users are already allowed to run their own binaries in their home directories, then adding data to new places in /nix/store is not a risk (besides defense-in-depth).

[*] I'm not up-to-date regarding whether Nix and/or Guix have this old-setuid-executables risk. I think the Openwall approach to setuid would be the best, but maybe that's just me.