Toward safer GNU C Library tunable handling

This is slightly off topic, but your mention of getting rid of SUID/SGID happened to trigger a thought - couldn't most SUID/SGID programs be reasonably easily replaced with a shim that could just send an IPC to some daemon already running with the right environment to do the equivalent work...?