This is often done with fork(2) + set{uid,gid,euid,egid}(2).
Is there an advantage to passing a file descriptor? What's the workflow in this case, the daemon runs with privileges and passes the fd to a process that's entirely separate and was never started as root? What would passing fds provide that forking + dropping privileges doesn't?
You got the gist of it: you can have a privileged process that can access resources and pass them to an unprivileged process upon request. The unprivileged process runs as nobody and is chroot into an empty directory, so the file descriptors are capabilities. It doesn't really matter if the unprivileged process is a child of the root one, so long as it discards all inherited resources/privileges other than its end of the socket before real work begins.
The advantage over merely inheriting resources is that you can grant new resources later on and decide whether to grant them in the stateful manner.
Is there an advantage to passing a file descriptor? What's the workflow in this case, the daemon runs with privileges and passes the fd to a process that's entirely separate and was never started as root? What would passing fds provide that forking + dropping privileges doesn't?