I just noticed that the current implementation of this service still has an issue: the renameat() is performed as root, but the unprivileged user can also pass on file descriptors for directories it doesn't own like /etc. Thus the caller could cause a "core" dump file to be placed anywhere in the system it has read access for. I just wrote this in the upstream MR#, it should be addressed before whitelisting the Polkit action.