Read the docs a bit more, now it seems like it is this:
x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve
I.e.
- Zero/nonzero uid is only meaningful when it changes and "root hacks" are active;
- Only effective capabilities are used for checks; everything else is capability management;
- Bounding set and inherited capabilities are about execve => out of scope for this answer.