So I noticed that kdesu is setgid 'nogroup'. That group is the fallback for groups from a remote NFS share that do not exist on the local machine. Since kdesu does not deal with NFS, I wanted to get rid of this (ab)use of 'nogroup'.
From all that I could gather (inline comments and a discussion on the KDE su handbook), the goal of the setgid bit on the binary is not to access any file as 'nogroup', but to prevent other processes of the calling user from accessing cached passwords, e.g. through ptrace(), core dumps or /proc/<pid>/memory. While setgid is one way to achieve that, both Linux and FreeBSD allow setting a kernel flag to directly to disable such access. So I went for that.