Use Systemd security limitations
I noted that Pulseaudio's user service has systemd restrictions that pipewire/pipewire-pulse does not have.
Porting over the following to pipewire/pipewire-pulse just worked (tested audio playing and screen sharing with Firefox):
LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes RestrictNamespaces=yes SystemCallArchitectures=native SystemCallFilter=@system-service
Plan to evaluate more possible restrictions on this thread and then make a PR.