Here's a patch against ebuild.sh that adds dyn_preinst, and moves the sfperms and selinux blocks from dyn_install to dyn_preinst. It is dependant on the ${EMERGE_FROM} being set (binary or ebuild), which is a change you said would be made. Please note the last hunk of the patch; I'm not sure which case you want preinst moved to.
Created attachment 19623 [details, diff] ebuild.sh-dyn_preinst.diff patch against ebuild.sh from portage-2.0.49-r15 (cvs v1.143)
Created attachment 20605 [details, diff] updated dyn_preinst patch This updated one adds in FEATURES nodoc, noman, and noinfo to remove the respective stuff from /usr/share, as needed by the embedded team
Ok, genome tells me that the FEATURES in the 2nd patch will be covered by the forthcoming INSTALL_PROTECT. So, ignore the 2nd patch, and just look at the first patch.
Went with patch 2. in for -r17