You know, I keep hoping that one day I will win a technical argument with Petr about some techincal aspect of Moodle, but I don't think it has happened, yet, and it hasn't happened now. Petr, being right is a very infuriating way for you to win every argument
OK, capabilties it is then.
However, steps 1 - 3 in my "With roles, what you have to do is" instructions are really painful for our admin staff.
I think what we really need is an admin tool where you can choose any capability, and then see and edit what the permissions for that capability in all the role definitions. I can, of course, implement such a tool plugin, and it will be useful in other cases.
The only use-case this does not cover is the one were we want to try some dodgy plugin that does not provide a mod/pileofrubbis:addinstance capability - and we don't want to edit the code to define the capability before installing it on our system - OK. That is never going to happen. But my proposal did handle that case.