From this answer I understand that seccomp-bpf filters the list of syscalls a process can call. Similarly, the capabilites mechanism will cause a syscall to fail if the caller does not have the capability necessary for that syscall.
What I want to understand if there are scenarios in which one mechanism is more powerful than the other.
In other words: Given a process running with a minimal set of capabilites, is there any additional protection a good seccomp profile can provide?