Any tips/tricks people have used to limit records visible (based on user's role) to scripted saved searches when run via a suitelet (that's deployed to run as any role other than "current role") - e.g. follow native role restrictions sometimes, but not always.

You can use a client script to get the actual user's role and then query and set the list data on the client side. Since it is client side, it will probably be a little slower but that's the best way i've come around