The solutions are all kludges because Nix doesn’t directly handle them, and it turns sudo and some other packages that need wrappers into foot guns if you embed them in a build and deploy them without realizing they won’t work.
resholve has the ~same need to reference these within nix builds.
I have been wishing we had some kind of oracle (edit: posted about this in Limited interface to system/nix-external dependencies?) that could return a symlink path somewhere in /nix that nix updates to point at some of these unavoidable ~system executables (and issue an error at build time if this dependency can’t be satisfied).
To ensure they aren’t used in the build itself, the symlink either wouldn’t exist at build time or wouldn’t be accessible in the build sandbox. If the former, maybe the directory that contains these would itself be a symlink that gets detached before any build and reattached after.