What's missing in this writeup is if/how capsudod can be configured to drop/acquire capabilities (in the capabilities(7) sense, in a namespace sense, or using openbsd's pledge(2)) before executing the command. From looking at the code it seems to rely on filesystem permissions to access the capsudod socket; when in order to make mounting USB drives actually safe via this kind of permission proxying method, you'd want to only give it very limited access to operations, like only the ability to make the mount(2) syscall. I generally agree, this is sudo in a different format and with a daemon; perhaps that's better. And it's written in C, which doesn't speak to avoiding the classic C-related privilege escalation risks (although this is a small amount of code compared to sudo).

If I'm a user who's been given access to run such a wrapper script via sudo, how do I further delegate that access?