The security settings of the System module are fixed, and a System.user object is considered a private thing of that specific System.user. To work around this, you can derive from System.user and adjust the security, adding members if necessary. For example the default Administration provides the Administration.Account object.
Your proposed workaround is indeed insecure, and far from ideal.
The way to work with these restrictions is using Microflows, since they do not need to obey the security settings. For example you could add an _Active attribute, and copy its value in a before commit, or create a microflow 'Make active' which does something similar and couple it to a button in your form.