Google's Project Zero, which begins...
Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.
With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session.
The su command is seen as bad because what it is supposed to do is ambiguous.
On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept.
It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.