However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL ... we can indeed log in as root on the postfix server.
You are not logging into Dovecot with root, you are connecting to Postfix for submission. When you connect to dovecot using linux users (PAM) the process running takes on the UID of the login user to give file permissions to read that users home directory where email could be stored. The risk being if someone had root UID:0 they could read anything on the server, not just the home directory of a user. But you aren't logging into Dovecot, you are connecting to Postfix. You aren't checking mail or reading directories. You are only submitting an email to Postfix for submission services. Postfix runs as its own Postfix UID no matter who you authenticate as. So even though you are authenticating yourself with root credentials, you aren't doing so as the root UID, you aren't reading email, and you aren't accessing any file systems like Dovecot would be.
