In PostgreSQL 16 and above, a specific security hard-coding was introduced to prevent the bootstrap superuser (usually the postgres role or the role that initialized the database) from having its SUPERUSER attribute revoked.

Why did it work in 14.x and 15.x?

In earlier versions, the check for "who is a superuser" was more flexible. You were able create a new superuser role, log in as that new role, and then strip the SUPERUSER attribute from the original postgres (or etadm) role. While possible, it was considered a "risky" practice because many internal functions and extensions expect the bootstrap user to have full privileges.

Postgres 16 and Later

Because etadm is the role that owns the binaries and has initialized the data directory, the database now recognizes it as the permanent "root" of the cluster.

The Postgres dev community decided that allowing the bootstrap user to become a non-superuser was dangerous. Because this user owns all built-in objects and system catalogs, removing its superuser status could lead to "unrecoverable" states where essential maintenance or recovery tasks cannot be performed.

This change is documented in the PostgreSQL 16 Release Notes:

"Prevent removal of superuser privileges for the bootstrap user. Restoring such users could lead to errors." (Robert Haas) — Source: PostgreSQL 16 Release Notes