Privileged Routine Applications (PRA) and $ROLES After
When creating a PRA (Privileged Routine Application; which by the way is not relevant just for Routines but also for Classes/Methods), it is important to make sure you include a new $ROLES, before calling AddRoles(). For example:
new $ROLES set status=$System.Security.AddRoles("MyPrivilegedRoutineApplication")
This way you ensure that indeed the added (elevated) roles "evaporate" for the User running this code, once the User is out of the scope of that routine/method.
[Thank you @Andreas Dieckow for validating this]