Systemd service files allow for restricting the access rights of the daemon it starts. Take for instance cupsd; it runs as root but access to the filesystem can be limited by adding these lines to the unit file:
ReadOnlyPaths=/
ReadWritePaths=/var/cache/cups /etc/cups /run/cups /var/log/cups
A lot more restrictions can be added; see systemd.exec(5).
I maintain my patched unit files in /usr/local/lib/systemd/system where they don't get overwritten when I update the system.
Now my question: Has anybody done a similar thing? Anything on github?