Privsep and privdrop
In 1997, Daniel J. Bernstein published qmail, composed of several programs with different privileges interacting with each other, with only a couple of them running a root, to reduce the attack surface.
Around the same time, postfix used the same approach.
Nowadays, a lot of network-facing programs and services are dropping their privileges as soon as possible in OpenBSD: privdrop: Ping, portmap, traceroute, rwalld, pppd, spamd, httpd, named, authpf, etc.spamd, httpd, named, authpf, …
As Ivan Fratric said in 2019:
Empirical evidence suggests that attack surface reduction is one of the most impactful (if not the most impatful) things that can be done for product security. Going the opposite way is… disappointing.