@pid_eins Indeed, reliance on SUID is one of the main design issues with sudo. I'm aiming to run a user-session with all privileges dropped (including an inability to escalate privileges). sudo/doas do not fit into such a scenario.
Fortunately, substitutes from recent years have avoided this by having a client-server design with a dedicated service handling spawning the process.