With something like that in place we could then even introduce DefaultProtectProc= or so, which would allow to take away the access to procfs for all services, and then require an opt-in for for services that actually need access, i.e. the dbus, polkit and suchlike of this world. But...