> As annoying as it is to have to update every sudo reference -> doas, it forces you to think about everywhere you're using it, rather than waiting to see what breaks and then trying to fix it.

In my scripts I never call sudo or doas. Instead, if the script needs to do something as root, I write the whole script so that it expects to itself be run as root.

And then when I want to run my script, I run it as root

    doas ./somescript.zsh

That's a much worse approach from a security pov.

No. That’s a blanket statement on your part that you cannot make because you don’t know what my scripts look like, or what commands they call.

No, it's never better to run whole scripts as root when root is only required for part of it. Unless every expression in your script requires root, the blanket statement holds.

In my experience, and in my own scripts, it is better to explicitly check if you are being run as root, advise against it and exit (with maybe some break glass flags) and invoke sudo when escalated privileges are required.

Yes, it's a blanket statement, better it's an absolute statement because it's absolutely true.

You're taking a shortcut due to convenience and it's bad security practice.

It's that simple.

I just constantly run as root since there is always a chance that I might need root permissions for something. /s