It's either a) change the group on the /dev/bpf entries and add your user to that group or b) run Wireshark as root.

b) would in general be a lot safer, in that you're elevating one process rather than lowering a privileged interface so that every process you run can sniff it.

Correct - Least Privilege says you do the absolute least you need to do in order to make things work, so that any errors are limited to that one part of the system.

What's been done here by Wireshark isn't least privilege, or secure. Its like the opposite of least privilege and security.

On Linux you can give an executable admin access to network devices with setcap which narrows it down further. Is the same possible on OS X?

Edit. Actually this is worse than running as root isn't it!

setcap is in principle better than setuid if your program is something like ping. Or in this case, wireshark.