portable: set PrivateTmp=yes in trusted profile too
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.
Fixes https://github.com/systemd/systemd/issues/23592
(cherry picked from commit f2d26cd89b195e53f184387f1a5b97a98512c82a)