ACLs are quite possibly the sanest solution for when both connection and effective user are unprivileged users. It is however an overkill for all the other, arguably more common, cases where at least one of the users is root.

sp-rex-ssh needs to be changed to only rely on ACLs where absolutely necessary and find other ways for the more common cases.