The primary use case of the PeerIdentitys-inside-SecurityIdentity bundling capability is bundling a Subject with the SI. But, the PI mechanism can't encompass Subject because of the way Subject.doAs works versus PI's pre/postAssociate mechanism.

If we do need the Subject bundling capability, we should just add a Subject field to SI and a method to create a bundled SI.

SI is in fact more closely aligned with an "SI is-a PI" arrangement, which we might or might not want to pursue later.