Introduce systemd features to improve security

systemd supports features like ReadOnlyDirectories and dropping capabilities. We should make use of them, to improve the security of the overall system.

One caveat, tough: AFAIK, different versions of systemd support different "droppable" capabilites. If one is using a list of capabilites and only one of them isn't supported, all of them are ignored.

This needs research and further discussion, for now that's just a starting point to keep track of it (and to counter my bad memory..)