A nice thing I found is that if you do (which I see they did not in the examples)

  # ProtectSystem=

you can do

  TemporaryFileSystem=/:ro
  BindReadOnly=/usr/bin/binary /lib /lib64 /usr/lib usr/lib64 <paths you want to read>

And essentially just including the binary and the path you want available. ProtectSystem= is currently not compatible with this behavior.

EDIT: More info here: https://github.com/systemd/systemd/issues/33688

Seems that might be an issue for something that wants to e.g. send an e-mail when an error occurs?