I don't have any concerns/objections about setting this up, I mostly wanted to know the status of the various countermeasures mentioned in this task.
What kind of measures do you propose?
systemd supports various features to restrict running processes, e.g. for restricting filesystem access or through disallowing potentially harmful syscalls using seccomp-bpf. This doesn't need to be present in the initial deployment, but it would be good to add in a followup step.