Since bug 461868, PORTAGE_XATTR_EXCLUDE excludes security.* attributes. However, it is possible to apply security.capability attributes which are created by the setcap utility from sys-libs/libcap (used by fcaps.eclass).
According to comments in bug 461868, we definitely need to exclude security.selinux, and maybe also security.ima and security.evm.
For binary package support, we'll have to enable xattrs in the tar options (requires that app-arch/tar is built with USE=xattr enabled). When creation of tar files, only the --xattr option needs to be added. For extraction, both --xattrs and --xattrs-include='*' are needed.
There's a patch in the following branch:
I've posted it for review here:
This is in the master branch:
Released in portage-2.2.19