[thwarted]

Yeah, that's what I gathered too. But if you can't find the output, output that is implicitly associated with a process tree as in this example, it is effectively lost. And even if you could find it, that it's disassociated from the origin reduces the utility of having captured the output at all.

SO_PEERCRED is on a per-socket basis, not per-write basis. From unix(7):

              This read-only socket option returns the credentials of
              the peer process connected to this socket.  The returned
              credentials are those that were in effect at the time of
              the call to connect(2) or socketpair(2).

Child processes that inherit the file descriptor like in the example would not influence the SO_PEERCRED result. So it must be something else. For vague reasons.