We've been using individual security.* excludes since bug 548516, because the need to allow security.capability prevents us from excluding security.* by default. We can solve this problem by adding support for things like PORTAGE_XATTR_EXCLUDE="security.* -security.capability" like INSTALL_MASK.