Ubuntu configures systemd-tmpfiles to delete a snapd tmp dir, snapd runs setuid root and blindly trusts/executes files from a tmp dir it does not manage the life cycle of. Where is the flaw in systemd here?