The first example drops caps except setuid/gid, then change to a user, then
regain a specific capability.

The second example sets the inheritable caps and drops all caps except
setuid/gid, then change to a user, then execve a program which is assumed to
have same set of inheritable caps sets in its xattrs + effective flag. Thus
the result is the launched program has only a specific capability and nobody
can automatically gain (as opposed to effective + permited file caps) the
allowed capability. Only the runner can do it.