Currently we are running Thumbor under Firejail. Since we will be upgrading Thumbor servers to buster, we could investigate if we can get the same protection by enabling systemd hardening options.
In addition it makes sense to investigate if we additionally can wrap invocations to external converters like GhostScript in Firejail (with a profile similar to Mediawiki, i.e. restricting network use to a network namespace bound to localhost).
Update: Looks like it works alright, if we are to use it in prod, we need a condition to use systemd hardening only in stretch