So I think the bit of the systemd picture I was missing was the way that there’s a system systemd session, and separate per-user sessions that get started per login. Those sessions are what systemctl --user commnunicates with.

What I want to be doing is a. to run raspistill as a system service; b. to run that system service as my non-root user; c. to send that service signals from a script running under my non-root user’s crontab; d. not to need authenticating to do so.

It’s not clear that there’s any well-supported way to do this. The right way to send signals to a systemd service is with systemctl kill, but if you’re interacting with the system systemd session that needs authenticating even if the service is running as you. For now I’m just running pkill -USR1 raspistill from my crontab and it all works fine.