This was found when a puppet master reimage was failing: T235067#5562514
Users/groups created by packages are added with s the default tool in Debian for this (adduser). We use the default Debian config for adduser (due to some dpkg limitation back in 2001 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541620 it gets created in the adduser.postinst instead of being shipped as a conffile). The default config specifies FIRST_SYSTEM_GID=100 and LAST_SYSTEM_GID=999, i.e. an ID from that pool is used when creating a user with the --system flag.
That's not a very good default for us to begin with: After all we're specifying various GIDs in the range >= 500 in data.yaml.
We should puppetise adduser.conf and reduce LAST_SYSTEM_GID to 499
There are various system users created during initial d-i base install, so it needs to be investigated if that change also needs to be applied to early install in some way or not.