Draft: data/NetworkManager.service: restrict the unit some more
This adds some low-hanging food to improve our score with "systemd-analyze security" by one point:
Before:
→ Overall exposure level for NetworkManager.service: 7.8 EXPOSED
After:
→ Overall exposure level for NetworkManager.service: 6.8 MEDIUM
Nothing particularly impactful here: we still got DAC_OVERRIDE, we still can insert loadable modules (as opposed to relying on autoload) and read user home directories. But there's a slight chance this may save our butts one day, who knows.