> alter package managers to allow installation of packages into a subtree of the user's home directory if the user is not root, etc.

Guix and Nix. I haven't used Nix, but Guix even allows ad-hoc containers running only specific programs and their dependencies:

https://www.gnu.org/software/guix/manual/html_node/Invoking-...

That doesn't help with the privileged port problem, but per-user services can be dealt with.