The current default is that such active objects execute with user permissions.
This system provides support for these objects to run with a smaller (minimal?) set of permissions needed to carry out their task.
Seems potentially problematic to properly assign and maintain all of these sub-user ids. Also to get the set of permissions properly done for each. Trading off one problem for another?