In systemd v259 you can run commands that need privileges as your current user instead of as root.

With run0 --empower, you'll get a session as your current user in which you can do anything that root would be able to do, without actually being root.

And of course this is done via linux's capabilities, in particular:

       CAP_DAC_READ_SEARCH
              •  Bypass file read permission checks and directory read
                 and execute permission checks;
              •  invoke open_by_handle_at(2);
              •  use the linkat(2) AT_EMPTY_PATH flag to create a link to
                 a file referred to by a file descriptor.

Source:

• [1] https://mastodon.social/@pid_eins/115586469819973533