... BTW, re-reading the commit message for a0ffa885e: One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege --- one could wish that those were handled by a revocable grant to PUBLIC, but they are not, because we couldn't make it robust enough for GUCs defined by extensions.
it suddenly struck me to wonder if the later 13d838815 changed the situation enough to allow revisiting that problem, and/or if storing the source role's OID in pg_db_role_setting would help. I don't immediately recall all the problems that led us to leave USERSET GUCs out of the feature, so maybe this is nuts; but maybe it isn't. It'd be worth considering if we're trying to improve matters here. regards, tom lane