/userdata, /var/lib/lxc/android/rootfs/data and many other files and directories owned by system:system

/userdata drwxrwx--x system system
/var/lib/lxc/android/rootfs/cache drwxrwx--x system 2001
/var/lib/lxc/android/rootfs/cache/recovery drwxrwx--- system 2001
/var/lib/lxc/android/rootfs/cache/dalvik-cache drwxrwx--x system system
/var/lib/lxc/android/rootfs/data drwxrwx--x system system
/var/lib/lxc/android/rootfs/mnt drwxrwxr-x root system

Several services run as the system user (on mako image 96):
system 727 0.0 0.0 1200 244 ? S 11:59 0:01 /system/bin/servicemanager
system 744 0.2 0.0 7024 1584 ? Sl 11:59 0:38 /system/bin/sensorservice
system 748 0.0 0.0 2144 616 ? S 11:59 0:00 /system/bin/qseecomd
system 751 0.0 0.0 1456 560 ? S 11:59 0:00 /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/
system 779 0.0 0.0 4212 504 ? Sl 11:59 0:03 /system/bin/qseecomd
system 1740 0.0 0.0 1388 544 ? S 11:59 0:00 /system/bin/efsks -p /dev/ttyUSB0 -w /dev/block/platform/msm_sdcc.1/by-name/
system 1864 0.0 0.0 1068 328 ? S 11:59 0:00 sh -c /system/bin/ks -m -w /dev/block/platform/msm_sdcc.1/by-name/ -p /dev/ttyUSB0 -t -1 -l
system 1866 0.0 0.0 2452 1596 ? S 11:59 0:00 /system/bin/ks -m -w /dev/block/platform/msm_sdcc.1/by-name/ -p /dev/ttyUSB0 -t -1 -l

A flaw in any of these services could wreak havoc on the system. For example, the phablet user is in /userdata/user-data/phablet, so while /userdata/user-data is root:root, the 'system' user owns the parent directory so it is able to rename it and cause a DoS against the phablet user. Furthermore, /userdata/android-data is also owned by the 'system' user, so it can delete/modify files in this directory at will.