The krb5_init_secure_context() approach does not work for GSS
applications.

An application might use GSS unwittingly (via SASL, via LDAP, via
nss_ldap, via the name service switch).

It would be better to have krb5_init_context() automatically detect
set-uid context and function like krb5_init_secure_context() when in
set-uid context.

Heimdal has a portable set-uid detection facility that you could copy:

https://github.com/heimdal/heimdal/blob/master/lib/roken/issuid.c

It's not always possible to determine if the application is set-uid.

In some cases it's not.

Solaris/Illumos and OpenBSD have the only fail-safe method: the
issetugid(2) system call.  FreeBSD and NetBSD have a system call with
the same name that unfortunately doesn't quite work correctly but which
will do.  Recent Linux kernels supply ELF aux vector entries that
include the necessary information.