Apps that need system permissions are microG Services Core (or, for the record, UnifiedNLP (no GAPPS)) and microG Services Framework Proxy*. Moving them to
/system/priv-app should be enough, yes.
*= although this app is just a layer of compatibility with legacy apps and I personally never needed it. In fact, I didn’t ever have it installed. I won’t bother to move it.
Any external utility won’t be needed when this @z3ntu patch is merged and you’ll just need to disable root in the Developer options. But be aware that the official position of the LineageOS team is not to interfere with SafetyNet check.