systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).
The rest of the filesystem is accessible for reading only. Still, quoting
systemd.exec(5):
Note that restricting access with these options does not extend to submounts
of a directory that are created later on.