I'm pretty sure maildrop should not be setuid root, since postfix is supposed to change to the user of the recipient before calling maildrop.
I would totally agree, but unfortunately this doesn't seem to be possible for the reasons stated above. I will fill a bug report.
Also, getuid() returns the real user ID, geteuid() returns the effective user ID.
Ah, nice to know, maildrop only uses getuid(), maybe that's part of the problem.