There isn't a "revoke privileges" kernel feature either despite years of trying (it is a hard problem).
You can't do it through a capabilities interface, even?
That means userspace have to have a sophisticated session manager like logind with kernel integration in order to keep the multi-seat sessions safe.
Why would it need to be married to the init daemon? That's the part that's unclear. cgroups permit management of process groups no matter how, why, or when they were created, or who created them. It doesn't matter if init starts the process, any other daemon could have done that job.