Sandbox the service
In wake of two recent CVEs directly affecting NetworkManager, please sandbox the service unit NetworkManager runs in to restrict its access as much as possible, so that any damage can be contained to that restricted environment. systemd's networkd is already secured properly (which is why both of the remotely exploitable bugs in networkd and resolved weren't quite effective as the services were secured).