DynamicUser is a very useful thing for all kinds of reasons, beyond just security (e.g. no need for a separate sysusers.d file). I've been using it happily for a while.

Now I have a problem - a service needs to run a program that runs a program that needs a suid-root binary. And, of course, it fails, because DynamicUser conflates several things like user/group management and a sort of 'lite' sandboxing. The docs say that NoNewPrivileges cannot be overridden when using DynamicUser. No justification for this is provided; it feels sort of like saying you "shouldn't" need to do this therefore you won't be allowed to. But such binaries are a part of UNIX and always were, so to break them is a bit annoying.

It would be good if NoNewPrivileges was overridable or just didn't get overridden here (as it's quite unintuitive that these dynamically created users are special in various ways).