Robert Haas:
Well, maybe. Suppose that role A has been granted pg_read_all_settings WITH INHERIT TRUE, SET TRUE and role B has been granted pg_read_all_settings WITH INHERIT TRUE, SET FALSE. A can create a table owned by pg_read_all_settings. If A does that, then B can now create a trigger on that table and usurp the privileges of pg_read_all_settings, after which B can now create any number of objects owned by pg_read_all_settings.
I'm not seeing how this is possible. A trigger function would run with the invoking user's privileges by default, right? So B would have to create a trigger with a SECURITY DEFINER function, which is owned by pg_read_all_settings to actually usurp the privileges of that role. But creating objects with that owner is exactly the thing B can't do.
What am I missing? Best Wolfgang