My quick analysis showed that the issue is caused by the capset() call in leave_suid(). Not sure how it affects creating the pid file, though this happens well before the leave_suid() call.
Squid starts leaving suid very early, then bounces back to root momentarily to perform privileged actions.
I think I understand what happens here... if you have TPROXY enabled Squid drops quite many capabilities to be able to keep some without running as root. One of those capabilities dropped is CAP_FOWNER and as result the pid file can only be created in directories owned by root.
You can verify if this is the cause by removing the enter/leave_suid calls from tools.c writePidFile() and around the related safeunlink call in main.c squidShutdown().
Commenting out enter_suid() in writePidFile() is able to create the PID file. On the other side, obviously if the directory holding the PID file is owned by root (like /var/run in Redhat) then the same type of problem would occur.
