It only makes sense to populate %buildroot during install, as we're already asking %install and %clean to prune the %buildroot.
Furthermore abusing the %buildroot during %prep and %build may have issues with stepped rpmbuilds ("short-circuited") and a non-deterministic choice in the buildroot (e.g. one that contains a random component).
Scriplets are only allowed to write in certain directories (current)
Build scripts of packages (%prep, %build, %install and %check) may only alter files (create, modify, delete) under %{buildroot}, %{_builddir} and valid temporary locations like /tmp, /var/tmp (or $TMPDIR or %{_tmppath} as set by the rpmbuild process).
Further clarification: That should hold true irrespective of the builder's uid
Scriplets are only allowed to write in certain directories (proposed)
Build scripts of packages (%prep, %build, %install, %check and %clean) may only alter files (create, modify, delete) under %{buildroot}, %{_builddir} and valid temporary locations like /tmp, /var/tmp (or $TMPDIR or %{_tmppath} as set by the rpmbuild process) according to the following matrix
| /tmp, /var/tmp, $TMPDIR, %{_tmppath} | %{_builddir} | %{buildroot} | |
| %prep | yes | yes | no |
| %build | yes | yes | no |
| %install | yes | yes | yes |
| %check | yes | yes | no |
| %clean | yes | yes | yes |
Further clarification: That should hold true irrespective of the builder's uid.