post: Neuter all systemd PrivateTmp= and Protect(Home|System)
See https://github.com/systemd/systemd/issues/4082 for the root
of this (mounts not following symlinks).
For Protect(Home|System), for the most part this is unnecessary
with ostree (we already have a ro bind mount over /usr). And
unfortunately it doesn't cover `/sysroot`.
Anyways, at some point we'll revisit the systemd Protect*, but
for now let's have the current system boot.