Let's assume if SIP is disabled and permissions get either maliciously or intentionally, but misguidedly changed. How to restore these permissions to their factory settings?
What is the Current Best Practice to Remedy Such a Situation, Once it has Occured?
It doesn't really matter exactly how a Sierra installation might end up with less than ideal, 'broken' or 'breaking', or simply altered permissions on its system files or directories.
The question from the title is in slightly longer form:
How do you reset the file system permissions in Sierra that are relevant to the systems operation to their default settings?
Best Answer
This is really quite easy.
Since all installs are archive and install, the operation to install Sierra drops a proper, SIP protected, proper permissions system and then calls Apple's migration scripts which should migrate all apps and configurations from the old system with proper permissions in place.
Then you can add a new admin user and remove each old user one by one - leaving their home folders alone. When you rename the old user home as a new short name - when you add those users in - that will fix the permissions on a per user basis.