Privileged wayland sockets
We already have several protocols (e.g. xwayland-only protocols) that must not be exposed to unprivileged clients. I expect this number to rise in the future with at least ext-screencopy and ext-layer-shell becoming privileged protocols.
One way to separate unprivileged and privileged sockets is via the file system. Sandboxes only expose selected sockets in $XDG_RUNTIME_DIR to sandboxed applications. A wayland compositor can therefore create a socket called wayland-N.privileged which exposes even privileged protocols.
If such a schema was standardized, then clients that make use of such privileged protocols (e.g. screenshot tools, application launchers) could try to connect to the privileged socket. This would allow users to launch them without having to jump through compositor-specific hoops to launch them with elevated privileges.