--gc-roots is good because it includes all the roots in use by currently-running processes (found by rummaging through /proc/). But --gc-roots is bad because it includes all the old profiles.

nixos-rebuild switch, nix-env updates, etc., (intentionally) don't restart everything. vulnix ought to be able to raise issues with currently-running jobs (especially because nix dynamic gc-root tracking already does all the hard work here).

Please provide an option to just include the roots from currently-running processes.