Live dataset migration
Currently the mechanism for migrating datasets is to restore the latest backup on the new host, which introduces a worst-case 1-day data loss. While this is more or less fine for most of the services currently in float (that can easily tolerate data loss), and it's the right thing to do when the original host has failed, it's kind of an ugly constraint to have if the original data is still "right there", and it would be much better to have the capability for live dataset migration.
This could easily be implemented as a global rsync service, though it would introduce an avenue for lateral data movement between hosts (once there is local root compromise). On the other hand, this is already possible via the backup system since we have automated transparent restores on different hosts by design.