But as far as I'm aware the reasoning is that if there's a way to access something from a normal user account (with admin privileges) it can be abused somehow.
Maybe a "key" would be the ability to boot/log in to a special mode with SIP enabled. Disabling/enabling it approximates this, but as far as I know an update will generally destroy your changes because Apple will just overwrite everything.
The suitable key would be to allow users to grant their own fine-grained entitlements to applications using their own self-signed certificate. The process should be suitably involved and complex enough to scare off regular users who may be attempting to do it under the direction of a third party (who may be trying to trick them) but it should be available to users who know what they’re doing.
Those resources are still owned by the root user so regular apps can't change them. Turning off SIP gives you something more like a regular linux system. The problem was when a normal user is prompted to type their password by an application, they simply do it granting the program root access so Apple decided regular users shouldn't be able to accidentally do this. If you need that access, you have to reboot in recovery mode to turn off the safety rails.
