A stab in the dark it really was.
By far excluding the trac above the friendly urls works (had deleted the error pages and forgot to update the docid, go me) but only for the trac itself.
The login is still producing a 404, with the following bits in the .htaccess
# Exclude /assets and /manager directories from rewrite rules
RewriteRule ^(manager|assets|trac) - [L]
# For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewritCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !trac\/ [NC]
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
Might experiment more tomorrow with a Moccamaster on standby.
Yet I’m still wondering if the login is done with a <Location>-bit, will the mod_rewrite acknowledge the fact that /trac/login is pointing to a virtual path/file. As far as my knowledge of mod_rewite goes, you should be able to pick up the login bit on REQUEST_URL as, if my memore doesn’t fail hard one me, that bit should be the full path the browser is requesting, eg. index.php on the site’s root would be /index.php
Edit: After poking with various methods, it occurred to me that why not check for the referer... no need to say it works... sort of: you can login, only if you do it from the trac, direct login will just spew out a 404.
"Final" version of the rewrite I currently have is the following
# Exclude /assets and /manager directories from rewrite rules
RewriteRule ^(manager|assets|trac) - [L]
# For Friendly URLs
RewriteCond %{HTTP_REFERER} !.*trac.*
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]