SUID stands for Set User ID. An SUID binary is a file that is always run with the UID of a specific user (almost always root). For instance, the ping command needs to set up network sockets, which requires root permissions, but is also often used by non-root users to check their network connections. Instead of having to sudo ping, any normal user is able to just run ping, as it uses SUID to run as the root user. sudo and doas also require functions that necessitate them running as root, and so if you can find out how to exploit these commands to run some arbitrary code without having to authenticate (since authentication happens after the binary has started running), there is a potential for vulnerabilities. Specifically, there is the potential for arbitrary code execution as root, which is the most severe type of vulnerability.

run0 starts using systemd-run, which does not use SUID. Instead, it runs with the permissions of the current user, and then authenticates to the root user after the binary has already started to run. So this means that in order to exploit arbitrary code execution with run0 as root, you have to actually authenticate first, removing the “before authentication” attack surface of sudo and doas.

TL;DR SUID binaries will always run as root, even before authenticating. run0 will start with the permissions of the current user, and then authenticating before running with root permissions.