First, to get --seccomp=execve to even work, you also need to pass in --shell=none. Otherwise firejail will start a bash shell, and then execute the command in that...using the execve syscall. Not sure of the full impacts of disabling the shell, will it interfere with signal handling?
Regardless, because of limit.sh, we end up with:
km@km-pt:~$ firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --blacklist=/srv/mediawiki/core/LocalSettings.php --noroot --seccomp=@default,execve --shell=none --net=none --debug --allow-debuggers -- /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' ''\''timidity'\'' '\''--version'\'' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes' /srv/mediawiki/core/includes/shell/limit.sh: line 99: 5 Bad system call 'timidity' '--version' MW_INCLUDE_STDERR=
If we implemented T179021: Investigate using firejail to replace limits.sh if it's installed this problem would go away, but that requires a newer version of firejail.