There are already multiple independent ways to gain privilege on any given system. So far we’ve been mainly suggesting sudo for that, until an authenticated token is desired (for store access, or remote control, etc). If we add support for polkit, that’s again in addition to everything we already have today. That is really the key motivation for the design.
So, if I can simplify your point 1 into “It means not being able to have a polkit policy”, yes, that’s true and perhaps we should do that at some point for reasons related to that. That said, point 2 is not true. We need that regardless because polkit won’t tell us who that user is in the store, so we need the macaroon regardless. For point 3, we must support and improve expiry and other proper security measures with the mechanisms we use (sudo, macaroon, etc), and if we add polkit, we’ll need to also account for that. It’s one more mechanism rather than just a better alternative. Point 4 is closely related to points 2 and 3.
So, this is the background. We may end up going there, but given that this will be more logic, more dependencies, more authentication mechanisms, in addition to everything we already do, perhaps we should wait a bit more and see?