a) wasn't the previous systemd philosophy about things like sudo for services to convert them to user services and not needing privileges?
User services are for things that don't need elevated privileges, like components of your GUI desktop environment. Tools like sudo and run0 are for administrative tasks that genuinely do need privilege. They're unrelated things, and I've never seen anything saying to replace sudo with unprivileged user services; that doesn't even make sense to me.
b) he says sudo has too great an attack surface and then starts talking about all its extra features including "fun"?
The "fun" is in an untrusted and unprivileged client, not in the privileged code that enforces security. The only attack surface is the interface between those parts, which is much narrower than sudo's, and isn't affected by UI features in the untrusted client.
c) hold up if it modifies output and you're piping text, isn't that going to screw workflows?
I don't see anything in Lennart's comments about modifying output. The changing of the terminal background color is done by writing control codes to the terminal, but I'm sure that happens only when the output is a terminal, not when you've redirected to a file or pipe. (This is commonplace; it's the same thing the ls command does to give you colored, multi-column file listings only when viewed in a terminal.)
d) if it's "half under the control of unprivileged processes", isn't the other half under the control of the enforcing kernel with veto rights?
The other half is a privileged (i.e. root) process, for which the kernel doesn't veto things. Child processes inherit a lot of state from their parents (environment variables, open files, control groups, CPU affinity and priority, etc.) and that state can affect how the child process behaves. Tools like sudo do a lot of work to sanitize the inherited state, but anything that gets missed can be a vulnerability. The scenario is that an administrator has configured sudo to allow you to run a specific command as root to do a specific limited thing, but by manipulating the state inherited by that command (i.e. stuff outside the actual command string), you can trick it into doing other things that the administrator didn't intend to allow.
e) how is suid "a weird idea" if it's been in use since the early 1970s and currently in the public domain?
It's weird because it causes a privileged process to inherit lots of state that's controlled by an unprivileged one and thus can be poisoned by an attacker. Being old doesn't negate that. Early UNIX was full of holes by modern standards; the people who invented setuid didn't anticipate the sophisticated attacks that were developed later.
f) What, er, what privileges will run0 run with?
None, i.e. just your normal user account. It's an unprivileged and untrusted client which sends a request to a separate privileged process (namely, the systemd service manager).
g) So, we're not supposed to trust a system in place and openly published since the 1970s, but let's all trust to the great Algorithm that is systemd?
Old does not mean secure; quite the opposite actually. The pitfalls of setuid have been recognized for a long time and are a recurring source of vulnerabilities (see this and this for examples), and avoiding it is an entirely reasonable thing to do.
h) Wasn't there a thing once upon a time where systemd was supposed to allow mobile home directories and trusts of those home directories? But SUDO has a big attack surface...?
You're thinking of systemd-homed, which I've never used because I've never seen a distro that enables it by default, and I've never seen enough of a need to try it manually. That said, user home directories are untrusted by definition, and I'm sure systemd-homed mounts them with safety options like nodev and nosuid, so the content of the filesystem shouldn't be a problem. It also remaps file ownership to a locally-assigned uid, ignoring the ownership information stored in the filesystem as far as I can tell, so tampering with the on-disk ownership won't accomplish anything. There are legitimate concerns about mounting untrusted filesystem images (which might be crafted to exploit bugs in the kernel's filesystem driver), but the same risk applies to common things like mounting a USB thumbdrive, so systemd-homed doesn't seem like a significant new attack surface there.
Still, I expect there'd be more concern about the attack surface of systemd-homed if more people actually used it. It seems pretty niche right now. Sudo, on the other hand is very widely-used.
Not to mention "fun to use", is this a workflow tool or a video game? He really does work for Microsoft, doesn't he?
The "fun to use" is a humorous exaggeration; Lennart was referring to a small UI feature that just indicates whether your terminal window is privileged or not. Hardly a video game.