We have an ongoing issue  where desktop users are unnecessarily prompted for a store login to perform local operations (e.g. removing a snap). This is because a desktop app can’t (safely) run as root and it’s impractical / unsafe to wrap the entire snapd API in a root daemon. This is a serious problem if you can’t contact the store (e.g. no network) - you can’t remove snaps from a GUI unless you have an existing Macaroon.
The agreed solution to this was to make a local Macaroon that would confirm the user can perform root operations (the Macaroon is got from snapd-login-service that runs as root and uses Polkit to authorize the user.
How close are we to having this local Macaroon?