If a non-root user can mount a daemon on a directory, he can somehow
mount something which provides him with an SUID shell. As I said,
I have a third-party package which can be abused in this way. Since
the problem is not the fault of the third party, I am inclined not
to reveal more detail as to what and who.