As Jon said, switching the system requires root permissions, this is as expected. building it is safe as non root though.
I’m using a wrapper that first uses nix build .#nixosConfigurations.$(hostname).config.system.build.toplevel .#homeConfigurations.$(whoami)@$(hostname).activationScript to build both, system and HM profiles.
Then I run ./result-1/activate to activate the HM profile.
Last but not least the script prints some explanation about switching system profiles and that I need to enter my password, then it runs sudo nixos-rebuild switch --flake .#$(hostname).
Currently the script is not public, as I am rewriting it in xz, which is not really as I want it so far.
Current state of the conversion can be seen at flake.lock: Update by NobbZ · Pull Request #10 · NobbZ/nixos-config · GitHub