 
            Ideally I would like a link to a webpage entitled "How I learnt to stop worrying and run spamass-milter as root".
We've got a few boxen running spamd as non-privileged user, but spamassassin milter runs as root with no problems.
On the flip-side to your query, I haven't found anything that states spamass milter shouldn't be run as root.
Also, a related question: is it worth installing pyzor, or will spamassassin on its own be enough? I ask because pyzor doesn't seem to be in any of the main repositories.
Don't know about Pyzor specifically, but we use Vipal's Razor with success. Our situation is that we're an ISP, so we like the extra checking to be as absolutely sure as possible that we're only rejecting real spam. of course a few spams still trickle through but we haven't had a single false positive.