There are a few ways to handle per-daemon credentials, one is:
Make a directory dedicated to your service (e.g. /var/<name>) with 0700 permissions
Put a new keychain and text file containing its password in the directory
At launch, your daemon unlocks the keychain using the file, and sets any settings (e.g. disable lock on sleep, etc)
Continue to use ACLs on keychain items so only your daemon process has access
Another thing I've done with various unprivileged services is to have a special "root" mode where the process checks the euid at launch, and if running as root it performs setup actions (like creating the directory and contents) and/or fixups (fixing permissions, checking for other issues, etc), then immediately exit (refuse to run as root). It's easy to run from a PKG's postinstall script, keeps the configuration information out of other files like scripts, and could do the kind of maintenance that daemons sometimes require. It should ignore command-line arguments in that mode for safety's sake though.