It's complexity we'd have to maintain.

Valid point and if there is no use for anyone totally ok.

But the point for a service is that I'd basically have to keep a fork of libresolv and nss_dns up2date for this change which is much more work.

That's the reason why I was asking, perhaps some others would see some need for it.

 It also breaks in case processes
switch to some other for increased isolation (perhaps with user
namespaces).

Therefore I wanted to keep the legacy behavior untouched.
If there is no need to use uid filters just dig with the used config without any changes.

I recommend the separate service module approach.

If I have to do it that way sure.
Perhaps someone can give me some hints if there is a easier way to go for it instead of cloning the whole nss_dns including libresolv?