... that I couldn't get the dspam CGI working properly without some form of suexec execution, because it wouldn't correctly redeliver false positives from the quarantine unless it ran as user dspam. In so saying, I misspoke, because I forgot a detail. (Well, two, actually.)
The first detail I forgot was that I'd just upgraded Dspam from v3.6.8 to v3.8.0, in the midst of everything else. While I was at it.
The second detail I forgot was that when I installed Dspam 3.6.8, I'd found it had a problem redelivering false positives from quarantine using Postfix's sendmail-replacement utility as a local delivery agent, because Dspam made the false assumption that all possible local delivery agents require a -d command-line option when re-injecting mail for delivery. This turns out not to be the case, which is a problem, because the -d option isn't set in a configuration file, it's hard-coded into dspam.c regardless of the configured local delivery agent.
At the time, I reported this as a bug against Dspam. Evidently, either no-one ever read the bug report, or no-one ever did anything about it. Since I never found where precisely the hard-coded -d was coming from, I wrote a simple patch for my own use here that scans the arguments to the local delivery agent and changes -d (which causes local re-injection to fail, if present) to -i (which, when processing a single message at a time as I have it configured, is harmless).
So I just re-applied that patch againt Dspam-3.8.0. End of problem.
But it's still stupid for that -d to be hard-coded.