Since execve resets the effective capabilities need to add them to ambient before testing, e.g., this will show advanced kernel tracing such as the block events:

export cs=cap_dac_read_search,cap_perfmon; capsh --keep=1 --user=bnikolic   --inh=$cs --addamb=$cs -- -c "perf list" | head -n 30

While this will `only’ show the CPU PMUs and similar

export cs=cap_perfmon; capsh --keep=1 --user=bnikolic   --inh=$cs --addamb=$cs -- -c "perf list" | head -n 30

Good explanation of how capsh and capabilities work: https://unix.stackexchange.com/questions/196483/how-do-i-use-capsh-i-am-trying-to-run-an-unprivileged-ping-with-minimal-capabi