...So there's no point in dropping privs and re-gaining them later to do the tasks the daemon is written for: you would only make more "red lights blink" (e.g. passwordless sudo) elsewhere.

If the system supports setreuid() (Linux does), you don't need sudo to switch the userid. Start the script under root (or another privileged id), then drop privileges immediately. When an action needs root privileges again, that can be done with a local change to the effective uid $>:

print "real: $<, effective $>\n";
$> = 1000; # drop privileges
print "real: $<, effective $>\n";
{
    # locally regain privileges
    local $> = 0;
    $> == 0 or die "Insufficient privileges, run script as root";
    print "real: $<, effective $>\n";
}
# unprivileged again
print "real: $<, effective $>\n";
[download]

That works without compromising security in any way.

Anno