Thanks for sharing. Wasn’t aware of this. Will check it out today.
For now, I figured I’d have an BEFORE UPDATE trigger which compares the md5(NEW.privileges::text) with md5(OLD.privileges::text) and raises an error if they don’t match.
Not sure how to bypass the trigger for service accounts.