This bug was partially mentioned in #gentoo-toolchain and this is the place to gather ideas.
sys-devel/gcc has USE="pie ssp"
The mean of both use pie and ssp is to have those 'technologies/protections' on the ELF installed by the package but in this case are meant to force gcc compile everything by default as pie/ssp.
So, at this point would be great to rename these flags.
Since we are forcing other flags than the mentioned, I'd propose to use the same approach for everything instead of have something controllable by USE and something controllable by forcing the opposite (like fortify_source)
In the years I saw a lot of people asking which flags we are forcing and in this way it will be more clear.
An idea could be, have in make.conf:
GCC_DEFAULT_COMPILER_FLAGS="pie stack-protector stack-protector-strong stack-protector-all fortify-source-2 fcf and-so-on"
GCC_DEFAULT_LINKER_FLAGS="O1 as-needed relro and-so-on"
Obviously the content of those variable should be controlled by profiles and the final result or behavior should remain the same.
not against the USE_EXPAND based idea, I kinda like it.
we should probably reconcile with using specs rather than patches to do that, though. an all-inclusive build of GCC can easily take a few hours