[th/cloud-setup-more-sandboxing] cloud-setup: more sandboxing in service file

this is mostly a test, to see whether we can do more sandboxing.

Not ready to be merged.

It probably also will require patches for contrib/fedora/rpm/ to adjust the service file for downstream.