Use systemd to restrict pcscd rights

See article "Using systemd for more secure services in Fedora" https://lwn.net/Articles/709350/

https://lwn.net/Articles/709764/ " Hmm, yeah, I should probably blog more about all the nice sandboxing features we have now in systemd. There's quite some stuff now we should enable wherever we can. Specifically ProtectSystem=, ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=, ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=, PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=, RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=.

For now, the only docs available for them are the man pages. Not all of them are available on all currently maintained Fedoras, but a good chunk is. "

Copied from https://alioth.debian.org/tracker/index.php?func=detail&aid=315592&group_id=30105&atid=410088

From Debian lintian:

X: pcscd: systemd-service-file-missing-hardening-features usr/lib/systemd/system/pcscd.service
N: 
N:   The specified systemd .service file does not appear to enable any
N:   hardening options.
N:   
N:   systemd has support for many security-oriented features such as isolating
N:   services from the network, private /tmp directories, as well as control
N:   over making directories appear read-only or even inaccessible, etc.
N:   
N:   Please consider supporting some options, collaborating upstream where
N:   necessary about any potential changes.
N: 
N:   Please refer to the systemd.service(5) manual page and
N:   http://0pointer.de/blog/projects/security.html for details.
N: 
N:   Visibility: pedantic
N:   Show-Always: no
N:   Check: systemd
N:   This tag is experimental.