While some may be put off by the thought of systemd being responsible for app sandboxing, it's possible. It's easily possible to confine applications/objects using systemd sandbox functionality. If you are curious how, the video presentation from systemd.conf is embedded below:
Also related are some new systemd security features hitting the Git code.
Unrelated to this presentation specifically, many Phoronix readers have been emailing me about "How to Crash Systemd in One Tweet." If you are interested in how it's possible for any user to crash systemd with one command, see this blog post by Andrew Ayer.