Thanks for checking. I would argue that if an attacker is able to influence the environment of this root process than it's game over already. Also it only changes behavior in the error case, when the new policy has changes that are incompatible with the old one. So even if someone would be able to do this the impact is very very limited. Also as you stated this is an already existing mechanism, so I would like to reuse it if possible.