PackagingDraft/ScriptletsWriteDirs

It only makes sense to populate %buildroot during install, as we're already asking %install and %clean to prune the %buildroot.

Furthermore abusing the %buildroot during %prep and %build may have issues with stepped rpmbuilds ("short-circuited") and a non-deterministic choice in the buildroot (e.g. one that contains a random component).

Scriplets are only allowed to write in certain directories (current)
Build scripts of packages (%prep, %build, %install and %check) may only alter files (create, modify, delete) under %{buildroot}, %{_builddir} and valid temporary locations like /tmp, /var/tmp (or $TMPDIR or %{_tmppath} as set by the rpmbuild process).

Further clarification: That should hold true irrespective of the builder's uid

Scriplets are only allowed to write in certain directories (proposed)
Build scripts of packages (%prep, %build, %install, %check and %clean) may only alter files (create, modify, delete) under %{buildroot}, %{_builddir} and valid temporary locations like /tmp, /var/tmp (or $TMPDIR or %{_tmppath} as set by the rpmbuild process) according to the following matrix

Further clarification: That should hold true irrespective of the builder's uid.