Right, and SELinux, alternatives like AppArmor, and the various kernel hardening parameters available on Linux are things that get in your way relatively rarely. SIP is much more annoying.

And there are also configuration matters where rather than policy on what root is allowed to do per se, making things a pain in the ass is the security strategy. Like there's no way to non-interactively enable macOS' built-in SSH server without resorting to an enterprise endpoint management system.

Part of what gives the feeling that ‘root is not root’ on macOS is that you can't really administer macOS like a normal Unix system or like Linux. There's a bunch of things that require interactivity, or a cloud account logged in. There are files that are part of a normal POSIX filesystem which play a certain role in configuring Unix systems which are present on macOS, but literally just don't do anything anymore, in favor of some other format that macOS actually cares about and which is a bigger pain to edit or automate using normal Unix userland tools.

Things like creating users in a script is way more verbose on macOS than on Linux or any BSD I've seen. (The least annoying way to handle it IME is to use a wrapper that imitates NetBSD's utilities for this which is bundled in pkgsrc.)