Real value of MAC models in Linux


I have read about MAC vs. DAC in the Internet, but I still fail to understand, what kind of attack it is impossible to protect against if one only uses DAC+capabilities in comparison to MAC+DAC+capabilities. If a process does not run as root and lacks CAP_DAC_OVERRIDE, CAP_FOWNER and other dangerous capabilities, it cannot overcome the already assigned ownership and ACL’s of the resources it uses. On the other hand, if a process runs as root and has CAP_MAC_ADMIN, it can overwrite the security context enforced by MAC.

So is MAC "just additional layer of protection" without any real advantage on modern Linux system?