Local policy error when disabling SIP on Big Sur/M1

From Apple's page About System Integrity Protection on your Mac

Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.

So, based on the premise of your question, a good sys admin would have used strong passwords, admin permissions to only users/apps that you trust and only using sudo when necessary.

Ok...let's look at a hypothetical, but entirely plausible scenario: Installing VirtualBox.

Assume for a moment, that the VirtalBox site got hacked and a malicious version of VB was uploaded and made available as genuine. Since to install VB it requires root privileges, you would invariably use sudo to install it (this is why it asks you for your password).

Without SIP, it could write to any of the protected areas as root installing itself with full admin privileges to do whatever nefarious things it wanted to do. It's important to note that the security practices you enumerated in your question never came into play.

It's just another layer of protection.

A Mac with SIP is no more or less safe than a Windows 10 machine with System Protection enabled. "Linux" is too broad a topic to make a statement. However, there is Oracle "Hardened" Linux (version of RedHat Enterprise) that has these features.

3 Solutions, or more likely workarounds
(Found them myself, but thanks to Thorbjørn Ravn Andersen anyways!)

To reiterate and clarify: I want to start in recovery mode of El Capitan on a MacBook Pro 2011 which has said OS as a partition and on another the ("factory set") Snow Leopard. Since El Capitan had - for an for me unknown reason?! - no recovery partition installed, my actual goal was to start internet recovery mode of El Capitan. This did not work since whenever I pressed [Cmd + R] at the chime, it started into recovery mode of Snow Leopard, which doesn't contain the wanted terminal command "csrutil" yet.

I went with option E)2. (above) and installed OS El Capitan on an empty external disk. After rebooting and holding the [Opt key] at the chime, I was able to choose the recovery partition of the newly installed system on the external drive, and afterwards disable SIP.

Thorbjørn Ravn Andersens solution will probably work too: A bootable USB stick - that's essentially the same as I did, but might be faster (?)... A third solution is probably (E)2.) reinstalling El Capitan to get the recovery partition (again?).

But even though those solutions (might) work, all of them include the time and space consuming (re-)installing of El Capitan. Since El Capitan should also have a internet recovery mode option it's unfortunate that one does not seem to be able to boot into that, if you have multiple (and older and "factory set") OS installed. (Option D)2., change the default start up disk to El Capitan and hit [(Opt +) Cmd + R] at the chime, should be working, but doesn't...)

So my Question is actually not solved completely, so I'll leave it open...
Thanks to every one who can give further advise! :D