Systemd has a few features that allow you to sandbox systemd services to prevent the damage that a compromised service could do.
It would be good to apply some sandboxing by default to some services. A lot of settings like
PrivateHome=true can be set for most services without breaking anything.
I can create some sandboxes and test them for a few services if needed. They could probably be placed in security-misc.
A related Tor ticket: https://trac.torproject.org/projects/tor/ticket/20930