Enable systemd sandboxing feature in unit files

Noah Meyerhansrequested to merge
noahm/sysstat:sandbox into master

Sandboxing employs kernel facilities such as namespacing, systemcall filters, and capabilities(7) to raise the security posture for the services covered. Documentation at https://manpages.debian.org/unstable/systemd/systemd.exec.5.en.html#SANDBOXING

Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089798

Merge request reports